EXPLORE
Sign In
← Back to Explore
sigmahighHunting

PUA - Restic Backup Tool Execution

Detects the execution of the Restic backup tool, which can be used for data exfiltration. Threat actors may leverage Restic to back up and exfiltrate sensitive data to remote storage locations, including cloud services. If not legitimately used in the enterprise environment, its presence may indicate malicious activity.

MITRE ATT&CK

T1048T1567.002
exfiltration

Detection Query

selection_specific:
  - CommandLine|contains|all:
      - --password-file
      - init
      - " -r "
  - CommandLine|contains|all:
      - --use-fs-snapshot
      - backup
      - " -r "
selection_restic:
  CommandLine|contains:
    - "sftp:"
    - rest:http
    - s3:s3.
    - s3.http
    - "azure:"
    - " gs:"
    - "rclone:"
    - "swift:"
    - " b2:"
  CommandLine|contains|all:
    - " init "
    - " -r "
condition: 1 of selection_*

Author

Nounou Mbeiri, Swachchhanda Shrawan Poudel (Nextron Systems)

Created

2025-10-17

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.exfiltrationattack.t1048attack.t1567.002
Raw Content
title: PUA - Restic Backup Tool Execution
id: 6ddff2e8-ea1a-45d0-8938-93dfc1d67ae7
status: experimental
description: |
    Detects the execution of the Restic backup tool, which can be used for data exfiltration.
    Threat actors may leverage Restic to back up and exfiltrate sensitive data to remote storage locations, including cloud services.
    If not legitimately used in the enterprise environment, its presence may indicate malicious activity.
references:
    - https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/#exfiltration
    - https://restic.net/
    - https://restic.readthedocs.io/en/stable/030_preparing_a_new_repo.html
author: Nounou Mbeiri, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-17
tags:
    - attack.exfiltration
    - attack.t1048
    - attack.t1567.002
logsource:
    product: windows
    category: process_creation
detection:
    selection_specific:
        - CommandLine|contains|all:
              - '--password-file'
              - 'init'
              - ' -r '
        - CommandLine|contains|all:
              - '--use-fs-snapshot'
              - 'backup'
              - ' -r '
    selection_restic:
        CommandLine|contains:
            - 'sftp:'
            - 'rest:http'
            - 's3:s3.'
            - 's3.http'
            - 'azure:'
            - ' gs:'
            - 'rclone:'
            - 'swift:'
            - ' b2:'
        CommandLine|contains|all:
            - ' init '
            - ' -r '
    condition: 1 of selection_*
falsepositives:
    - Legitimate use of Restic for backup purposes within the organization.
level: high