LoFP / valid requests with this exact user agent to that is used by legitimate scripts or sysadmin operations

Techniques

• t1567
• t1567.002

Sample rules

Rclone Activity via Proxy

• source: sigma
• technicques:
  • t1567
  • t1567.002

Description

Detects the use of rclone, a command-line program to manage files on cloud storage, via its default user-agent string

Detection logic

condition: selection
selection:
  c-useragent|startswith: rclone/v