PUA Restic Backup Tool Execution

Last updated on:

About the rule

Rule Type

Standard

Rule Description

Detects the execution of the Restic backup tool, which can be used for data exfiltration.

Severity

Attention

Rule Requirement

Criteria

Action1: actionname = "Process started" AND (( COMMANDLINE contains "--password-file,--use-fs-snapshot" AND COMMANDLINE contains "init,backup" AND COMMANDLINE contains " -r " ) OR COMMANDLINE contains "sftp:,rest:http,s3:s3.,s3.http,azure:, gs:,rclone:,swift:, b2:" ) select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME,Action1.DOMAIN,Action1.ORIGINALFILENAME,Action1.PARENTPROCESSID,Action1.PROCESSID,Action1.PRODUCT_NAME,Action1.SECURITYID

Detection

Execution Mode

realtime

Log Sources

Windows

Author

@Nounou Mbeiri, Swachchhanda Shrawan Poudel (Nextron Systems)