Query Details

Rclone Use Detection

Query

let Timeframe = 2d; // Choose the best timeframe for your investigation
DeviceProcessEvents
    | where TimeGenerated > ago(Timeframe)
    | where ProcessVersionInfoProductName has "Rclone"
    | where ProcessCommandLine contains @"rclone" or ProcessCommandLine contains @"--Launch"
    | project TimeGenerated, DeviceName, FolderPath, FileName, ProcessCommandLine, ProcessCreationTime, AccountName, AccountUpn
    | sort by TimeGenerated desc

About this query

Rclone use detection

Description

The following query will detect execution of the Rclone command-line program which is related to ransomware exfiltration activity.

References

Microsoft Defender XDR

Versioning

VersionDateComments
1.023/05/2024Initial publish

Explanation

This query is designed to detect the use of the Rclone command-line program, which is often associated with ransomware activities involving data exfiltration. Here's a simple breakdown of what the query does:

  1. Timeframe: It looks at data from the past two days (2d).

  2. Data Source: The query examines events related to processes on devices (DeviceProcessEvents).

  3. Filter Criteria:

    • It checks for processes where the product name includes "Rclone".
    • It further filters these processes to those where the command line includes the term "rclone" or "--Launch".
  4. Data Projection: It selects specific details about these processes, including:

    • When the event was generated (TimeGenerated).
    • The name of the device where the process ran (DeviceName).
    • The path and name of the folder and file involved (FolderPath, FileName).
    • The full command line used to run the process (ProcessCommandLine).
    • When the process was created (ProcessCreationTime).
    • The account name and user principal name associated with the process (AccountName, AccountUpn).
  5. Sorting: The results are sorted by the time the event was generated, in descending order, so the most recent events appear first.

This query helps security teams identify potential malicious activity involving Rclone, aiding in the investigation of data exfiltration incidents.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: May 23, 2024

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsTimeGeneratedNameFolderPathFileCommandLineCreationAccountUpn

Operators

let|wherehascontainsorprojectsort bydesc

Actions

GitHub