← Back to Explore
kqlHunting
Rclone Copy Process Args
Any use of rclone should be heavily scrutinzed in the environment. It is a common binary to see attackers use to get data out
Detection Query
//Any use of rclone should be heavily scrutinzed in the environment. It is a common binary to see attackers use to get data out
// Definitely block the usage of rclone as a binary and as a cloud app (by denying consent)
//Make sure to block rclone.org and https://github.com/rclone/rclone
let rclone_args = pack_array('copy','ignore-existing','auto-confirm'); //not including binary name in here here in case attacker renames binary.
DeviceProcessEvents
| where TimeGenerated >ago(90d)
| where ProcessCommandLine has_all(rclone_args) or ProcessCommandLine contains "rclone.exe copy" or FileName == "rclone.exe" //cover rename, args and standard use of binary
//Flags for copy command (not including global flags such as auto-confirm):
/// --absolute Put a leading / in front of path names
// --combined string Make a combined report of changes to this file
// --create-empty-src-dirs Create empty source dirs on destination after copy
// --csv Output in CSV format
// --dest-after string Report all files that exist on the dest post-sync
// --differ string Report all non-matching files to this file
// -d, --dir-slash Append a slash to directory names (default true)
// --dirs-only Only list directories
// --error string Report all files with errors (hashing or reading) to this file
// --files-only Only list files (default true)
// -F, --format string Output format - see lsf help for details (default "p")
// --hash h Use this hash when h is used in the format MD5|SHA-1|DropboxHash (default "md5")
// -h, --help help for copy
// --match string Report all matching files to this file
// --missing-on-dst string Report all files missing from the destination to this file
// --missing-on-src string Report all files missing from the source to this file
// -s, --separator string Separator for the items in the format (default ";")
// -t, --timeformat string Specify a custom time format, or 'max' for max precision supported by remote (default: 2006-01-02 15:04:05)
//Flags for anything which can copy a file (flag group Copy):
// --check-first Do all the checks before starting transfers
// -c, --checksum Check for changes with size & checksum (if available, or fallback to size only)
// --compare-dest stringArray Include additional server-side paths during comparison
// --copy-dest stringArray Implies --compare-dest but also copies files from paths into destination
// --cutoff-mode HARD|SOFT|CAUTIOUS Mode to stop transfers when reaching the max transfer limit HARD|SOFT|CAUTIOUS (default HARD)
// --ignore-case-sync Ignore case when synchronizing
// --ignore-checksum Skip post copy check of checksums
// --ignore-existing Skip all files that exist on destination
// --ignore-size Ignore size when skipping use modtime or checksum
// -I, --ignore-times Don't skip items that match size and time - transfer all unconditionally
// --immutable Do not modify files, fail if existing files have been modified
// --inplace Download directly to destination file instead of atomic download to temp/rename
// -l, --links Translate symlinks to/from regular files with a '.rclonelink' extension
// --max-backlog int Maximum number of objects in sync or check backlog (default 10000)
// --max-duration Duration Maximum duration rclone will transfer data for (default 0s)
// --max-transfer SizeSuffix Maximum size of data to transfer (default off)
// -M, --metadata If set, preserve metadata when copying objects
// --modify-window Duration Max time diff to be considered the same (default 1ns)
// --multi-thread-chunk-size SizeSuffix Chunk size for multi-thread downloads / uploads, if not set by filesystem (default 64Mi)
// --multi-thread-cutoff SizeSuffix Use multi-thread downloads for files above this size (default 256Mi)
// --multi-thread-streams int Number of streams to use for multi-thread downloads (default 4)
// --multi-thread-write-buffer-size SizeSuffix In memory buffer size for writing when in multi-thread mode (default 128Ki)
// --name-transform stringArray Transform paths during the copy process
// --no-check-dest Don't check the destination, copy regardless
// --no-traverse Don't traverse destination file system on copy
// --no-update-dir-modtime Don't update directory modification times
// --no-update-modtime Don't update destination modtime if files identical
// --order-by string Instructions on how to order the transfers, e.g. 'size,descending'
// --partial-suffix string Add partial-suffix to temporary file name when --inplace is not used (default ".partial")
// --refresh-times Refresh the modtime of remote files
// --server-side-across-configs Allow server-side operations (e.g. copy) to work across different configs
// --size-only Skip based on size only, not modtime or checksum
// --streaming-upload-cutoff SizeSuffix Cutoff for switching to chunked upload if file size is unknown, upload starts after reaching cutoff or when file ends (default 100Ki)
// -u, --update Skip files that are newer on the destination
//Important flags useful for most commands (flag group Important):
// -n, --dry-run Do a trial run with no permanent changes
// -i, --interactive Enable interactive mode
// -v, --verbose count Print lots more stuff (repeat for more)
//Flags for filtering directory listings (flag group Filter):
// --delete-excluded Delete files on dest excluded from sync
// --exclude stringArray Exclude files matching pattern
// --exclude-from stringArray Read file exclude patterns from file (use - to read from stdin)
// --exclude-if-present stringArray Exclude directories if filename is present
// --files-from stringArray Read list of source-file names from file (use - to read from stdin)
// --files-from-raw stringArray Read list of source-file names from file without any processing of lines (use - to read from stdin)
// -f, --filter stringArray Add a file filtering rule
// --filter-from stringArray Read file filtering patterns from a file (use - to read from stdin)
// --hash-filter string Partition filenames by hash k/n or randomly @/n
// --ignore-case Ignore case in filters (case insensitive)
// --include stringArray Include files matching pattern
// --include-from stringArray Read file include patterns from file (use - to read from stdin)
// --max-age Duration Only transfer files younger than this in s or suffix ms|s|m|h|d|w|M|y (default off)
// --max-depth int If set limits the recursion depth to this (default -1)
// --max-size SizeSuffix Only transfer files smaller than this in KiB or suffix B|K|M|G|T|P (default off)
// --metadata-exclude stringArray Exclude metadatas matching pattern
// --metadata-exclude-from stringArray Read metadata exclude patterns from file (use - to read from stdin)
// --metadata-filter stringArray Add a metadata filtering rule
// --metadata-filter-from stringArray Read metadata filtering patterns from a file (use - to read from stdin)
// --metadata-include stringArray Include metadatas matching pattern
// --metadata-include-from stringArray Read metadata include patterns from file (use - to read from stdin)
// --min-age Duration Only transfer files older than this in s or suffix ms|s|m|h|d|w|M|y (default off)
// --min-size SizeSuffix Only transfer files bigger than this in KiB or suffix B|K|M|G|T|P (default off)
//Flags for listing directories (flag group Listing):
// --default-time Time Time to show if modtime is unknown for files and directories (default 2000-01-01T00:00:00Z)
// --fast-list Use recursive list if available; uses more memory but fewer transactionsData Sources
DeviceProcessEvents
Platforms
windows
Tags
defender
Raw Content
//Any use of rclone should be heavily scrutinzed in the environment. It is a common binary to see attackers use to get data out
// Definitely block the usage of rclone as a binary and as a cloud app (by denying consent)
//Make sure to block rclone.org and https://github.com/rclone/rclone
let rclone_args = pack_array('copy','ignore-existing','auto-confirm'); //not including binary name in here here in case attacker renames binary.
DeviceProcessEvents
| where TimeGenerated >ago(90d)
| where ProcessCommandLine has_all(rclone_args) or ProcessCommandLine contains "rclone.exe copy" or FileName == "rclone.exe" //cover rename, args and standard use of binary
//Flags for copy command (not including global flags such as auto-confirm):
/// --absolute Put a leading / in front of path names
// --combined string Make a combined report of changes to this file
// --create-empty-src-dirs Create empty source dirs on destination after copy
// --csv Output in CSV format
// --dest-after string Report all files that exist on the dest post-sync
// --differ string Report all non-matching files to this file
// -d, --dir-slash Append a slash to directory names (default true)
// --dirs-only Only list directories
// --error string Report all files with errors (hashing or reading) to this file
// --files-only Only list files (default true)
// -F, --format string Output format - see lsf help for details (default "p")
// --hash h Use this hash when h is used in the format MD5|SHA-1|DropboxHash (default "md5")
// -h, --help help for copy
// --match string Report all matching files to this file
// --missing-on-dst string Report all files missing from the destination to this file
// --missing-on-src string Report all files missing from the source to this file
// -s, --separator string Separator for the items in the format (default ";")
// -t, --timeformat string Specify a custom time format, or 'max' for max precision supported by remote (default: 2006-01-02 15:04:05)
//Flags for anything which can copy a file (flag group Copy):
// --check-first Do all the checks before starting transfers
// -c, --checksum Check for changes with size & checksum (if available, or fallback to size only)
// --compare-dest stringArray Include additional server-side paths during comparison
// --copy-dest stringArray Implies --compare-dest but also copies files from paths into destination
// --cutoff-mode HARD|SOFT|CAUTIOUS Mode to stop transfers when reaching the max transfer limit HARD|SOFT|CAUTIOUS (default HARD)
// --ignore-case-sync Ignore case when synchronizing
// --ignore-checksum Skip post copy check of checksums
// --ignore-existing Skip all files that exist on destination
// --ignore-size Ignore size when skipping use modtime or checksum
// -I, --ignore-times Don't skip items that match size and time - transfer all unconditionally
// --immutable Do not modify files, fail if existing files have been modified
// --inplace Download directly to destination file instead of atomic download to temp/rename
// -l, --links Translate symlinks to/from regular files with a '.rclonelink' extension
// --max-backlog int Maximum number of objects in sync or check backlog (default 10000)
// --max-duration Duration Maximum duration rclone will transfer data for (default 0s)
// --max-transfer SizeSuffix Maximum size of data to transfer (default off)
// -M, --metadata If set, preserve metadata when copying objects
// --modify-window Duration Max time diff to be considered the same (default 1ns)
// --multi-thread-chunk-size SizeSuffix Chunk size for multi-thread downloads / uploads, if not set by filesystem (default 64Mi)
// --multi-thread-cutoff SizeSuffix Use multi-thread downloads for files above this size (default 256Mi)
// --multi-thread-streams int Number of streams to use for multi-thread downloads (default 4)
// --multi-thread-write-buffer-size SizeSuffix In memory buffer size for writing when in multi-thread mode (default 128Ki)
// --name-transform stringArray Transform paths during the copy process
// --no-check-dest Don't check the destination, copy regardless
// --no-traverse Don't traverse destination file system on copy
// --no-update-dir-modtime Don't update directory modification times
// --no-update-modtime Don't update destination modtime if files identical
// --order-by string Instructions on how to order the transfers, e.g. 'size,descending'
// --partial-suffix string Add partial-suffix to temporary file name when --inplace is not used (default ".partial")
// --refresh-times Refresh the modtime of remote files
// --server-side-across-configs Allow server-side operations (e.g. copy) to work across different configs
// --size-only Skip based on size only, not modtime or checksum
// --streaming-upload-cutoff SizeSuffix Cutoff for switching to chunked upload if file size is unknown, upload starts after reaching cutoff or when file ends (default 100Ki)
// -u, --update Skip files that are newer on the destination
//Important flags useful for most commands (flag group Important):
// -n, --dry-run Do a trial run with no permanent changes
// -i, --interactive Enable interactive mode
// -v, --verbose count Print lots more stuff (repeat for more)
//Flags for filtering directory listings (flag group Filter):
// --delete-excluded Delete files on dest excluded from sync
// --exclude stringArray Exclude files matching pattern
// --exclude-from stringArray Read file exclude patterns from file (use - to read from stdin)
// --exclude-if-present stringArray Exclude directories if filename is present
// --files-from stringArray Read list of source-file names from file (use - to read from stdin)
// --files-from-raw stringArray Read list of source-file names from file without any processing of lines (use - to read from stdin)
// -f, --filter stringArray Add a file filtering rule
// --filter-from stringArray Read file filtering patterns from a file (use - to read from stdin)
// --hash-filter string Partition filenames by hash k/n or randomly @/n
// --ignore-case Ignore case in filters (case insensitive)
// --include stringArray Include files matching pattern
// --include-from stringArray Read file include patterns from file (use - to read from stdin)
// --max-age Duration Only transfer files younger than this in s or suffix ms|s|m|h|d|w|M|y (default off)
// --max-depth int If set limits the recursion depth to this (default -1)
// --max-size SizeSuffix Only transfer files smaller than this in KiB or suffix B|K|M|G|T|P (default off)
// --metadata-exclude stringArray Exclude metadatas matching pattern
// --metadata-exclude-from stringArray Read metadata exclude patterns from file (use - to read from stdin)
// --metadata-filter stringArray Add a metadata filtering rule
// --metadata-filter-from stringArray Read metadata filtering patterns from a file (use - to read from stdin)
// --metadata-include stringArray Include metadatas matching pattern
// --metadata-include-from stringArray Read metadata include patterns from file (use - to read from stdin)
// --min-age Duration Only transfer files older than this in s or suffix ms|s|m|h|d|w|M|y (default off)
// --min-size SizeSuffix Only transfer files bigger than this in KiB or suffix B|K|M|G|T|P (default off)
//Flags for listing directories (flag group Listing):
// --default-time Time Time to show if modtime is unknown for files and directories (default 2000-01-01T00:00:00Z)
// --fast-list Use recursive list if available; uses more memory but fewer transactions