Detectionmediumtest

Rclone Activity via Proxy

Detects the use of rclone, a command-line program to manage files on cloud storage, via its default user-agent string

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Janantha MarasingheCreated Tue Oct 182c03648b-e081-41a5-b9fb-7d854a915091web

Log Source

Proxy Log

CategoryProxy Log← raw: proxy

Detection Logic

detection:
    selection:
        c-useragent|startswith: 'rclone/v'
    condition: selection

False Positives

Valid requests with this exact user agent to that is used by legitimate scripts or sysadmin operations

References

MITRE ATT&CK

Tactics

Sub-techniques

Rule Metadata

Rule ID

2c03648b-e081-41a5-b9fb-7d854a915091

Status

test

Level

medium

Type

Detection

Created

Tue Oct 18

Author

Path

rules/web/proxy_generic/proxy_ua_rclone.yml

Raw Tags

attack.exfiltrationattack.t1567.002