Adversaries may create Rclone config files to exfiltrate data or establish persistent access by leveraging cloud storage. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration or lateral movement tactics early.
Detection Rule
title: Rclone Config File Creation
id: 34986307-b7f4-49be-92f3-e7a4d01ac5db
status: test
description: Detects Rclone config files being created
references:
- https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
author: Aaron Greetham (@beardofbinary) - NCC Group
date: 2021-05-26
modified: 2023-05-09
tags:
- attack.exfiltration
- attack.t1567.002
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains|all:
- ':\Users\'
- '\.config\rclone\'
condition: selection
falsepositives:
- Legitimate Rclone usage
level: medium
imFileEvent
| where TargetFileName contains ":\\Users\\" and TargetFileName contains "\\.config\\rclone\\"Scenario: System Administrator Creates Rclone Config for Backup Purposes
Description: An admin is setting up a backup solution using Rclone to sync data to a cloud storage service.
Filter/Exclusion: Check for the presence of known backup tools (e.g., rsync, backuppc, bacula) or check the file path against known backup directories (e.g., /etc/backup/, /opt/backup/).
Scenario: Scheduled Job Generates Rclone Config Temporarily
Description: A cron job or systemd timer is generating a temporary Rclone config file as part of an automated process.
Filter/Exclusion: Filter by file modification time (e.g., files created within the last 5 minutes) or check for temporary file patterns (e.g., rclone-temp-*.conf).
Scenario: DevOps Team Deploys Infrastructure with Rclone Config as Part of CI/CD Pipeline
Description: A CI/CD pipeline deploys a new environment and includes an Rclone config file for cloud storage integration.
Filter/Exclusion: Check for deployment tools (e.g., Ansible, Terraform, Kubernetes) or check the file path against known deployment directories (e.g., /opt/deployments/, /var/lib/configs/).
Scenario: User Creates Rclone Config for Personal Use on Workstation
Description: A user creates an Rclone config file on their local machine for personal cloud storage access, but the system logs the file creation.
Filter/Exclusion: Filter by user context (e.g., non-admin users) or check for local file paths (e.g., ~/.config/rclone/, /home/user/.rclone.conf).
**Scenario: Rclone Config File is Created as Part of a Security Tool or Monitoring