Renamed RCLONE.EXE Execution

Rule Info

Name
Renamed RCLONE.EXE Execution
Author
X__Junior (Nextron Systems)
Description
Detects the execution of a renamed "RCLONE.exe" binary based on the PE metadata fields
Reference
https://www.microsoft.com/en-us/security/blog/2024/09/26/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/
Date
2024-09-27 00:00:00
Modified
None
Id
2be3bd26-93b8-4413-a78c-9081e4e65d15
Tags
attack.execution attack.t1059 attack.defense-evasion attack.t1202
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022