Techniques
Sample rules
PUA - Restic Backup Tool Execution
- source: sigma
- technicques:
- t1048
- t1567
- t1567.002
Description
Detects the execution of the Restic backup tool, which can be used for data exfiltration. Threat actors may leverage Restic to back up and exfiltrate sensitive data to remote storage locations, including cloud services. If not legitimately used in the enterprise environment, its presence may indicate malicious activity.
Detection logic
condition: 1 of selection_*
selection_restic:
CommandLine|contains:
- 'sftp:'
- rest:http
- s3:s3.
- s3.http
- 'azure:'
- ' gs:'
- 'rclone:'
- 'swift:'
- ' b2:'
CommandLine|contains|all:
- ' init '
- ' -r '
selection_specific:
- CommandLine|contains|all:
- --password-file
- init
- ' -r '
- CommandLine|contains|all:
- --use-fs-snapshot
- backup
- ' -r '