| ID | Technique | Tactic |
|---|---|---|
| T1567.002 | Exfiltration to Cloud Storage | Exfiltration |
Detection: Cisco NVM - Rclone Execution With Network Activity
Description
This detection identifies execution of the file synchronization utility "rclone". It leverages Cisco Network Visibility Module logs, specifically flow data in order to capture process executions initiating network connections. While rclone is a legitimate command-line tool for syncing data to cloud storage providers, it has been widely abused by threat actors for data exfiltration. This analytic inspects process name and arguments for rclone and flags usage of suspicious flags. If matched, this could indicate malicious usage for stealthy data exfiltration or cloud abuse.
Search
1`cisco_network_visibility_module_flowdata`
2(
3 process_name = "rclone.exe"
4 OR
5 (
6 process_arguments = "* copy *"
7 process_arguments = "*\\\\*"
8 process_arguments IN ("*remote:*", "*mega:*", "*ftp:*", "*ftp1:*")
9 )
10 OR
11 (
12 process_arguments IN ("*remote:*", "*mega:*", "*ftp:*", "*ftp1:*")
13 process_arguments = "*--transfers"
14 process_arguments = "*--ignore-existing*"
15 process_arguments = "*--auto-confirm*"
16 )
17)
18
19| stats count min(_time) as firstTime max(_time) as lastTime
20 values(parent_process_arguments) as parent_process_arguments
21 values(process_arguments) as process_arguments
22 values(parent_process_hash) as parent_process_hash
23 values(process_hash) as process_hash
24 values(module_name_list) as module_name_list
25 values(module_hash_list) as module_hash_list
26 values(dest_port) as dest_port
27 values(aliul) as additional_logged_in_users_list
28 values(dest_hostname) as dest_hostname
29 by src dest parent_process_path parent_process_integrity_level process_path process_name process_integrity_level process_id transport
30
31| `security_content_ctime(firstTime)`
32
33| `security_content_ctime(lastTime)`
34
35| table
36 parent_process_integrity_level parent_process_path parent_process_arguments parent_process_hash
37 process_integrity_level process_path process_name process_arguments process_hash process_id
38 additional_logged_in_users_list module_name_list module_hash_list
39 src dest_hostname dest dest_port transport firstTime lastTime
40
41| `cisco_nvm___rclone_execution_with_network_activity_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Cisco Network Visibility Module Flow Data |  Network |
'cisco:nvm:flowdata' |
'not_applicable' |
Macros Used
| Name | Value |
|---|---|
| cisco_network_visibility_module_flowdata | sourcetype="cisco:nvm:flowdata" |
| cisco_nvm___rclone_execution_with_network_activity_filter | search * |
cisco_nvm___rclone_execution_with_network_activity_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Actions on Objectives
DE.AE
CIS 10
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Risk Event | True |
This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.
Implementation
This search requires Network Visibility Module logs, which includes the flow data sourcetype.
This search uses an input macro named cisco_network_visibility_module_flowdata.
We strongly recommend that you specify your environment-specific configurations
(index, source, sourcetype, etc.) for Cisco Network Visibility Module logs.
Replace the macro definition with configurations for your Splunk environment.
The search also uses a post-filter macro designed to filter out known false positives.
The logs are to be ingested using the Splunk Add-on for Cisco Endpoint Security Analytics (CESA) (https://splunkbase.splunk.com/app/4221).
Known False Positives
Rclone is used legitimately in some backup or other workflows. Tune this rule based on known-good operational usage or restrict by known user/service accounts an specific folders or remote names.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
Rclone was executed on $src$ using flags $process_arguments$ and connected to $dest_hostname$ over $dest_port$.
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| src | system | 60 | process_name |
References
-
https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
-
https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/
-
https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/
-
https://redcanary.com/blog/threat-detection/rclone-mega-extortion/
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | not_applicable |
cisco:nvm:flowdata |
| Integration | ✅ Passing | Dataset | not_applicable |
cisco:nvm:flowdata |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1