PUA Restic Backup Tool Execution
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects the execution of the Restic backup tool, which can be used for data exfiltration.
Severity
Attention
Rule Requirement
Criteria
Action1:
actionname = "Process started" AND (( COMMANDLINE contains "--password-file,--use-fs-snapshot" AND COMMANDLINE contains "init,backup" AND COMMANDLINE contains " -r " ) OR COMMANDLINE contains "sftp:,rest:http,s3:s3.,s3.http,azure:, gs:,rclone:,swift:, b2:" )
select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME,Action1.DOMAIN,Action1.ORIGINALFILENAME,Action1.PARENTPROCESSID,Action1.PROCESSID,Action1.PRODUCT_NAME,Action1.SECURITYID
Detection
Execution Mode
realtime
Log Sources
Windows
Author
@Nounou Mbeiri, Swachchhanda Shrawan Poudel (Nextron Systems)


