Here's a handy script to gather up hashes for all Rclone releases, along with the current results.

https://gist.github.com/rmceoin/efedac0f86884dea548dc757b4a885ef

The recent year in review by #DFIRReport has a ton of great intel and as I've seen many times before rclone is called out. It is frequently used for exfil.

So, along with other tools, rclone has been on my hit list to chase down the hashes and see what our defenses think of them and if used internally.

It turns out Rclone is on GitHub and appears to host the last several years of releases there. With a little GitHub and Bash magic out pops all the recent hashes. I stayed focused just on the Windows hashes.

No doubt a TA would pivot to another method, but the hope would be it'd delay them and help set off more alarms as they bump around.

#ThreatIntel

#DFIRReport 2022 year in review is out. Great reading as always. https://thedfirreport.com/2023/03/06/2022-year-in-review/

The new report from #DFIRreport is insane!

Last spam toot and then I need to get into the projects, the new #dfirreport is out!

https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/

Ryuk Ransomware Gang Uses Zerologon Bug for Lightning-Fast Attack - Researchers said the group was able to move from initial phish to full domain-wide encryption in j... https://threatpost.com/ryuk-ransomware-gang-zerologon-lightning-attack/160286/ #initialphishingemail #privilegeescalation #vulnerabilities #activedirectory #attackanalysis #cve-2020-1472 #cobaltstrike #websecurity #bazarloader #dfirreport #fivehours #zerologon #malware #ryuk