S1040 Rclone

Rclone is a command line program for syncing files with cloud storage services such as Dropbox, Google Drive, Amazon S3, and MEGA. Rclone has been used in a number of ransomware campaigns, including those associated with the Conti and DarkSide Ransomware-as-a-Service operations.⁴³¹⁵²

Item	Value
ID	S1040
Associated Names
Type	TOOL
Version	1.0
Created	30 August 2022
Last Modified	13 April 2023
Navigation Layer	View In ATT&CK® Navigator

Techniques Used

Domain	ID	Name	Use
enterprise	T1560	Archive Collected Data	-
enterprise	T1560.001	Archive via Utility	Rclone can compress files using `gzip` prior to exfiltration.⁴
enterprise	T1030	Data Transfer Size Limits	The Rclone “chunker” overlay supports splitting large files in smaller chunks during upload to circumvent size limits.⁴²
enterprise	T1048	Exfiltration Over Alternative Protocol	-
enterprise	T1048.002	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Rclone can exfiltrate data over SFTP or HTTPS via WebDAV.⁴
enterprise	T1048.003	Exfiltration Over Unencrypted Non-C2 Protocol	Rclone can exfiltrate data over FTP or HTTP, including HTTP via WebDAV.⁴
enterprise	T1567	Exfiltration Over Web Service	-
enterprise	T1567.002	Exfiltration to Cloud Storage	Rclone can exfiltrate data to cloud storage services such as Dropbox, Google Drive, Amazon S3, and MEGA.⁴²
enterprise	T1083	File and Directory Discovery	Rclone can list files and directories with the `ls`, `lsd`, and `lsl` commands.⁴

References

Aaron Greetham. (2021, May 27). Detecting Rclone – An Effective Tool for Exfiltration. Retrieved August 30, 2022. ↩
DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022. ↩↩↩
Justin Schoenfeld and Aaron Didier. (2021, May 4). Rclone Wars: Transferring leverage in a ransomware attack. Retrieved August 30, 2022. ↩
Nick Craig-Wood. (n.d.). Rclone syncs your files to cloud storage. Retrieved August 30, 2022. ↩↩↩↩↩↩↩
Ramarcus Baylor. (2021, May 12). DarkSide Ransomware Gang: An Overview. Retrieved August 30, 2022. ↩