The Renamed Rclone Exfil rule detects adversaries using a renamed version of Rclone to exfiltrate data, leveraging the tool’s file transfer capabilities for covert data movement. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential data exfiltration attempts by malicious actors using disguised Rclone instances.
KQL Query
DeviceProcessEvents
| where ProcessVersionInfoProductName has "rclone" and not(FileName has "rclone")
id: 2b2e8b89-ba54-48f9-a24f-b9ae16a7ef6d
name: Renamed Rclone Exfil
description: |
Microsoft has observed Bazacall using a renamed version of Rclone for data exfiltration.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Exfiltration
query: |
DeviceProcessEvents
| where ProcessVersionInfoProductName has "rclone" and not(FileName has "rclone")
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Scheduled Rclone Backup Job
Description: An administrator schedules a legitimate Rclone backup job to transfer data to a remote storage service (e.g., Google Drive, Dropbox).
Filter/Exclusion: Check for known backup tools or scheduled tasks associated with Rclone, and exclude jobs that match known backup configurations or use whitelisted remote storage endpoints.
Scenario: Admin Renaming Rclone for Internal Use
Description: A system administrator renames the Rclone binary (e.g., rclone2) to avoid detection by security tools while using it for internal file synchronization.
Filter/Exclusion: Exclude processes where the binary name matches known internal tooling or where the process is initiated by a privileged user with a known administrative task.
Scenario: Rclone Used for Log Aggregation
Description: Rclone is configured to transfer log files from multiple servers to a centralized logging server (e.g., Splunk, ELK stack) for monitoring and analysis.
Filter/Exclusion: Exclude transfers to known log aggregation servers or filter by file types commonly associated with log files (e.g., .log, .json, .txt).
Scenario: Rclone Used for File Sync Between Branch Offices
Description: Rclone is used to synchronize files between branch offices over a secure internal network, ensuring data consistency across locations.
Filter/Exclusion: Exclude transfers between internal IP ranges or filter by known internal sync directories and file types.
Scenario: Rclone Used for Archiving Old Data
Description: Rclone is used to archive old or unused data to a long-term storage solution (e.g., AWS S3, Azure Blob Storage) as part of a data retention policy.
Filter/Exclusion: Exclude transfers to known archival storage endpoints or filter by file age and retention policy compliance.