```yaml title: Rclone Data Exfiltration id: edr-win-exfil-rclone-usage status: stable description: > Identifies Rclone execution on Windows via process name or PE metadata (display name). Rclone is a legitimate cloud sync tool heavily abused for data exfiltration by ransomware operators including Akira, Qilin, Conti, and BlackBasta. Detection uses PE display name to catch renamed variants. references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a - https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/ author: ShroudCloud date: 2026/04/14 modified: 2026/04/14 tags: - attack.exfiltration - attack.t1048 - attack.t1567 logsource: category: process_creation product: windows detection: selection_name: Image|endswith: '\rclone.exe' selection_metadata: Product|contains: 'Rsync for cloud storage' filter_service: ParentImage|endswith: '\rclone_service.exe' condition: (selection_name or selection_metadata) and not filter_service falsepositives: - Legitimate Rclone usage for cloud backup by IT teams - Rclone service wrapper for scheduled syncs level: high ```