Cisco NVM - Rclone Execution With Network Activity

This detection identifies execution of the file synchronization utility "rclone". It leverages Cisco Network Visibility Module logs, specifically flow data in order to capture process executions initiating network connections. While rclone is a legitimate command-line tool for syncing data to cloud storage providers, it has been widely abused by threat actors for data exfiltration. This analytic inspects process name and arguments for rclone and flags usage of suspicious flags. If matched, this could indicate malicious usage for stealthy data exfiltration or cloud abuse.