diff --git a/Exfiltration/rclone-exfiltration-file.md b/Exfiltration/rclone-exfiltration-file.md
new file mode 100644
index 00000000..c2230d17
--- /dev/null
+++ b/Exfiltration/rclone-exfiltration-file.md
@@ -0,0 +1,511 @@
+# Find Rclone distribution files
+RClone (https://rclone.org/) is a tool to send/receive data between local and cloud storage. It is commonly used as an exfiltration vector.   
+This query finds files from a RClone distribution package, both for Win32 and Win64, via SHA1 hash of the binary and zip file.   
+All versions from 0.96 to 1.56 (from https://downloads.rclone.org/, latest on Aug 20, 2021) are considered.
+
+This query can be run automatically at some fast pace (like 1h) to generate an alert when an exe or the original distribution zip file is found.
+These hashes are a superset of the exe-only query that looks for processes.
+
+## Query
+```
+let rclonefilehashes = dynamic([
+"c00cfb456fc6af0376fbea877b742594c443df97",
+"713d4a18177e9091c91a1e885d846e084fd19ebe",
+"c7f41e8349d93f581704fc7d46a0a86451b701bf",
+"c7f41e8349d93f581704fc7d46a0a86451b701bf",
+"713d4a18177e9091c91a1e885d846e084fd19ebe",
+"c7f41e8349d93f581704fc7d46a0a86451b701bf",
+"c7f41e8349d93f581704fc7d46a0a86451b701bf",
+"f11acf701130422f0b291e74a29b5c0c82967e22",
+"575ed20f418d6c84d74c527c40d098c7c145ba49",
+"575ed20f418d6c84d74c527c40d098c7c145ba49",
+"f11acf701130422f0b291e74a29b5c0c82967e22",
+"575ed20f418d6c84d74c527c40d098c7c145ba49",
+"575ed20f418d6c84d74c527c40d098c7c145ba49",
+"0774c3fad552dffac99ef4089f9d18838dc391f2",
+"0774c3fad552dffac99ef4089f9d18838dc391f2",
+"0774c3fad552dffac99ef4089f9d18838dc391f2",
+"0774c3fad552dffac99ef4089f9d18838dc391f2",
+"9ab49d4dd789eea3f2491406a2cda8ca1eb97999",
+"07da4a6aff4596d286f60c44fc0e340179d080ce",
+"07da4a6aff4596d286f60c44fc0e340179d080ce",
+"9ab49d4dd789eea3f2491406a2cda8ca1eb97999",
+"07da4a6aff4596d286f60c44fc0e340179d080ce",
+"07da4a6aff4596d286f60c44fc0e340179d080ce",
+"54e4146c3a72dca28287cfec84dc398d4bf9da66",
+"af3a8302fb7fe9cc8345b52ae45e531ad17b5959",
+"af3a8302fb7fe9cc8345b52ae45e531ad17b5959",
+"54e4146c3a72dca28287cfec84dc398d4bf9da66",
+"af3a8302fb7fe9cc8345b52ae45e531ad17b5959",
+"af3a8302fb7fe9cc8345b52ae45e531ad17b5959",
+"7114bd9865f2dfc7651d9fe05ef9fbf5df8affa2",
+"eec2bcb14105ab778ad7c220a40714283a9b9ff7",
+"eec2bcb14105ab778ad7c220a40714283a9b9ff7",
+"7114bd9865f2dfc7651d9fe05ef9fbf5df8affa2",
+"eec2bcb14105ab778ad7c220a40714283a9b9ff7",
+"eec2bcb14105ab778ad7c220a40714283a9b9ff7",
+"9b7eea8b59a078ec6c0ee2934cfbd45d535e96eb",
+"5bc41e54d81c80ed01ea75c4089678af71c9f964",
+"5bc41e54d81c80ed01ea75c4089678af71c9f964",
+"9b7eea8b59a078ec6c0ee2934cfbd45d535e96eb",
+"5bc41e54d81c80ed01ea75c4089678af71c9f964",
+"5bc41e54d81c80ed01ea75c4089678af71c9f964",
+"587cdd23bf627ad7d326ce1f6ba88a7234bce51d",
+"d4bd849dd9e74b8e6e7300d456ef5b0141dd5b5a",
+"d4bd849dd9e74b8e6e7300d456ef5b0141dd5b5a",
+"587cdd23bf627ad7d326ce1f6ba88a7234bce51d",
+"d4bd849dd9e74b8e6e7300d456ef5b0141dd5b5a",
+"d4bd849dd9e74b8e6e7300d456ef5b0141dd5b5a",
+"e512016cbe67dbd7922cc8f2437c2b94fdf4045b",
+"08da698c5c817f1799630c6edc207f049e07b4da",
+"08da698c5c817f1799630c6edc207f049e07b4da",
+"e512016cbe67dbd7922cc8f2437c2b94fdf4045b",
+"08da698c5c817f1799630c6edc207f049e07b4da",
+"08da698c5c817f1799630c6edc207f049e07b4da",
+"e2f09c54f5324b439904b09591fe2084178ab83b",
+"8a739e6cde1d0a7b5cf1e54a5fe21a7b73693d00",
+"8a739e6cde1d0a7b5cf1e54a5fe21a7b73693d00",
+"e2f09c54f5324b439904b09591fe2084178ab83b",
+"8a739e6cde1d0a7b5cf1e54a5fe21a7b73693d00",
+"8a739e6cde1d0a7b5cf1e54a5fe21a7b73693d00",
+"7069d578c390c50e2277d174079532b72e5753d4",
+"90f618e7772327c6193cd9df242a3a1c80d70143",
+"90f618e7772327c6193cd9df242a3a1c80d70143",
+"7069d578c390c50e2277d174079532b72e5753d4",
+"90f618e7772327c6193cd9df242a3a1c80d70143",
+"90f618e7772327c6193cd9df242a3a1c80d70143",
+"fc02d5739e7174fa98a47cd4e32ad8b5d86f37d9",
+"59d76dda2e878942d01e352eb2a1ba938dd0a894",
+"59d76dda2e878942d01e352eb2a1ba938dd0a894",
+"fc02d5739e7174fa98a47cd4e32ad8b5d86f37d9",
+"59d76dda2e878942d01e352eb2a1ba938dd0a894",
+"59d76dda2e878942d01e352eb2a1ba938dd0a894",
+"173b81e84b0dd815f15f650859feebc32ca0e001",
+"ff17f910f6927a634deaeeb29cb1baeb99d08513",
+"ff17f910f6927a634deaeeb29cb1baeb99d08513",
+"173b81e84b0dd815f15f650859feebc32ca0e001",
+"ff17f910f6927a634deaeeb29cb1baeb99d08513",
+"ff17f910f6927a634deaeeb29cb1baeb99d08513",
+"f9abe4d61972a816635df8e365bb310a8e61e65a",
+"df6363ca6e9ff658b929daa31791642efb320c5f",
+"df6363ca6e9ff658b929daa31791642efb320c5f",
+"f9abe4d61972a816635df8e365bb310a8e61e65a",
+"df6363ca6e9ff658b929daa31791642efb320c5f",
+"df6363ca6e9ff658b929daa31791642efb320c5f",
+"d4a0888b93bca42b3581fc049b0476bbe13d503b",
+"1d24fb905b5bcf910e81d354990dd8e76c6baeb0",
+"1d24fb905b5bcf910e81d354990dd8e76c6baeb0",
+"d4a0888b93bca42b3581fc049b0476bbe13d503b",
+"1d24fb905b5bcf910e81d354990dd8e76c6baeb0",
+"1d24fb905b5bcf910e81d354990dd8e76c6baeb0",
+"872348ff87d82dbf47133a080b0154746f540909",
+"2a9673f9c6698ffdc26dc63881b739aa7048e4f7",
+"2a9673f9c6698ffdc26dc63881b739aa7048e4f7",
+"872348ff87d82dbf47133a080b0154746f540909",
+"2a9673f9c6698ffdc26dc63881b739aa7048e4f7",
+"2a9673f9c6698ffdc26dc63881b739aa7048e4f7",
+"a87edb3df5e22aad29e32ef8c1c6e01358a6b2c2",
+"ccd1d542390ce2daac302142447727462bf780a1",
+"ccd1d542390ce2daac302142447727462bf780a1",
+"a87edb3df5e22aad29e32ef8c1c6e01358a6b2c2",
+"ccd1d542390ce2daac302142447727462bf780a1",
+"ccd1d542390ce2daac302142447727462bf780a1",
+"bf80ee04ef669df2cb65f8ea87825dacde9b612c",
+"47e5264da85973037ea3577651934677f5897927",
+"47e5264da85973037ea3577651934677f5897927",
+"bf80ee04ef669df2cb65f8ea87825dacde9b612c",
+"47e5264da85973037ea3577651934677f5897927",
+"47e5264da85973037ea3577651934677f5897927",
+"64d5216d9e039238cf7ccb755ab8efbfca2d24de",
+"bd38a1311858c6bfbf78247572ebde6dc6a4f601",
+"bd38a1311858c6bfbf78247572ebde6dc6a4f601",
+"64d5216d9e039238cf7ccb755ab8efbfca2d24de",
+"bd38a1311858c6bfbf78247572ebde6dc6a4f601",
+"bd38a1311858c6bfbf78247572ebde6dc6a4f601",
+"086c9ed833769162b84313c5616141e081fece49",
+"adb0112f007874d18bb3389e56bb9593808d9110",
+"adb0112f007874d18bb3389e56bb9593808d9110",
+"086c9ed833769162b84313c5616141e081fece49",
+"adb0112f007874d18bb3389e56bb9593808d9110",
+"adb0112f007874d18bb3389e56bb9593808d9110",
+"916313e0a2e351c82dc99f543ff738fa4cd888f9",
+"32bb3dac48ef079acd62254d901fe4119ddac440",
+"32bb3dac48ef079acd62254d901fe4119ddac440",
+"916313e0a2e351c82dc99f543ff738fa4cd888f9",
+"32bb3dac48ef079acd62254d901fe4119ddac440",
+"32bb3dac48ef079acd62254d901fe4119ddac440",
+"1fd69a06e8a4530d62c53c62eabc957e7575cd72",
+"24716ddb72d6fb33287b3da2a4d1b3f18ecb9390",
+"24716ddb72d6fb33287b3da2a4d1b3f18ecb9390",
+"1fd69a06e8a4530d62c53c62eabc957e7575cd72",
+"24716ddb72d6fb33287b3da2a4d1b3f18ecb9390",
+"24716ddb72d6fb33287b3da2a4d1b3f18ecb9390",
+"97a0b46efb4d86a5241a104f4a64261b7a80dcd5",
+"44774ad6aa7ac68b48038555ff7e9a8bef66a2a7",
+"44774ad6aa7ac68b48038555ff7e9a8bef66a2a7",
+"97a0b46efb4d86a5241a104f4a64261b7a80dcd5",
+"44774ad6aa7ac68b48038555ff7e9a8bef66a2a7",
+"44774ad6aa7ac68b48038555ff7e9a8bef66a2a7",
+"5c2513d14f2ff15b15e2494dff4b89ff968a9e82",
+"c924530ea27f5a9c15fa8a46fd1b1d10e0681654",
+"c924530ea27f5a9c15fa8a46fd1b1d10e0681654",
+"5c2513d14f2ff15b15e2494dff4b89ff968a9e82",
+"c924530ea27f5a9c15fa8a46fd1b1d10e0681654",
+"c924530ea27f5a9c15fa8a46fd1b1d10e0681654",
+"1f76dd9f672b3290ae91ad8f8f19b6c5779e53c3",
+"a9d6536efecfae3925666d858c19a811c4b12a98",
+"a9d6536efecfae3925666d858c19a811c4b12a98",
+"1f76dd9f672b3290ae91ad8f8f19b6c5779e53c3",
+"a9d6536efecfae3925666d858c19a811c4b12a98",
+"a9d6536efecfae3925666d858c19a811c4b12a98",
+"30350bda781eecee69b8e6e38ff48791e24406ea",
+"af56bb89b9b40c7c490e1979af790ac3e03930a6",
+"af56bb89b9b40c7c490e1979af790ac3e03930a6",
+"30350bda781eecee69b8e6e38ff48791e24406ea",
+"af56bb89b9b40c7c490e1979af790ac3e03930a6",
+"af56bb89b9b40c7c490e1979af790ac3e03930a6",
+"2971fb77060ed53fe093abb4b86341a3e546d6e4",
+"60dfcf54f11dd7e20cdb310e52a35326fe6ef7d3",
+"60dfcf54f11dd7e20cdb310e52a35326fe6ef7d3",
+"2971fb77060ed53fe093abb4b86341a3e546d6e4",
+"60dfcf54f11dd7e20cdb310e52a35326fe6ef7d3",
+"60dfcf54f11dd7e20cdb310e52a35326fe6ef7d3",
+"493994b0557351bd58535a46e20a88bc5cfa82d7",
+"5e12eee87f1a5cbcdbe525fe7da1d435d5c8e0ce",
+"5e12eee87f1a5cbcdbe525fe7da1d435d5c8e0ce",
+"493994b0557351bd58535a46e20a88bc5cfa82d7",
+"5e12eee87f1a5cbcdbe525fe7da1d435d5c8e0ce",
+"5e12eee87f1a5cbcdbe525fe7da1d435d5c8e0ce",
+"df15b2e543d4126aa67e1a64fc136cc3259a10d8",
+"5b86a86fb66f271f32f4f41f1e0c57bab793826f",
+"5b86a86fb66f271f32f4f41f1e0c57bab793826f",
+"df15b2e543d4126aa67e1a64fc136cc3259a10d8",
+"5b86a86fb66f271f32f4f41f1e0c57bab793826f",
+"5b86a86fb66f271f32f4f41f1e0c57bab793826f",
+"695130ce7b634cf6b75491385fadde9137fc145c",
+"06de267e53935bac592a801e33ff9c3a5b72f4dd",
+"06de267e53935bac592a801e33ff9c3a5b72f4dd",
+"695130ce7b634cf6b75491385fadde9137fc145c",
+"06de267e53935bac592a801e33ff9c3a5b72f4dd",
+"06de267e53935bac592a801e33ff9c3a5b72f4dd",
+"6202d2e8af574cf41ed0eb15f3dd3800a7d19eb3",
+"75b7ba658ac0df4136a8c99e45a89e8963ee6cb4",
+"75b7ba658ac0df4136a8c99e45a89e8963ee6cb4",
+"6202d2e8af574cf41ed0eb15f3dd3800a7d19eb3",
+"75b7ba658ac0df4136a8c99e45a89e8963ee6cb4",
+"75b7ba658ac0df4136a8c99e45a89e8963ee6cb4",
+"b122a17f59fdacd477aa3d62ab970b0d9d409960",
+"e04eb69ed8fd2913e4f8a975d67b3f153b94532f",
+"e04eb69ed8fd2913e4f8a975d67b3f153b94532f",
+"b122a17f59fdacd477aa3d62ab970b0d9d409960",
+"e04eb69ed8fd2913e4f8a975d67b3f153b94532f",
+"e04eb69ed8fd2913e4f8a975d67b3f153b94532f",
+"6c5f10a16ddc155ca3fce274b15d8fade2dbccd5",
+"6dabbbfde6355d2e1dda40daefd512f7a5920a32",
+"6dabbbfde6355d2e1dda40daefd512f7a5920a32",
+"6c5f10a16ddc155ca3fce274b15d8fade2dbccd5",
+"6dabbbfde6355d2e1dda40daefd512f7a5920a32",
+"6dabbbfde6355d2e1dda40daefd512f7a5920a32",
+"0e678dc1c66e314f01cfa92a80cb39d3d6d9b2a9",
+"32f503544584cec4d138f56ea2128c27444fd66a",
+"32f503544584cec4d138f56ea2128c27444fd66a",
+"0e678dc1c66e314f01cfa92a80cb39d3d6d9b2a9",
+"32f503544584cec4d138f56ea2128c27444fd66a",
+"32f503544584cec4d138f56ea2128c27444fd66a",
+"577dd42cc92de8d3cad62fcee5f5abbe051169ae",
+"fa27d6bb10cd51f5f7f4347b44f75e7979d70efa",
+"fa27d6bb10cd51f5f7f4347b44f75e7979d70efa",
+"577dd42cc92de8d3cad62fcee5f5abbe051169ae",
+"fa27d6bb10cd51f5f7f4347b44f75e7979d70efa",
+"fa27d6bb10cd51f5f7f4347b44f75e7979d70efa",
+"a19af76c5260dc6638fab5a6bf57cf79779032e9",
+"17daa702fe03dc6a77d196eb486eed000436063c",
+"17daa702fe03dc6a77d196eb486eed000436063c",
+"a19af76c5260dc6638fab5a6bf57cf79779032e9",
+"17daa702fe03dc6a77d196eb486eed000436063c",
+"17daa702fe03dc6a77d196eb486eed000436063c",
+"4393bdedd3e0b040c23993c327205daccfdf7f2f",
+"a9f1f5ccd6624f90808b89fa104a0f0d8a68ee5d",
+"a9f1f5ccd6624f90808b89fa104a0f0d8a68ee5d",
+"4393bdedd3e0b040c23993c327205daccfdf7f2f",
+"a9f1f5ccd6624f90808b89fa104a0f0d8a68ee5d",
+"a9f1f5ccd6624f90808b89fa104a0f0d8a68ee5d",
+"3890d4f8612db194a0f102749445617893d49aea",
+"6937c4f4be5cab1a694eccefee940c4ab76b0d3d",
+"6937c4f4be5cab1a694eccefee940c4ab76b0d3d",
+"3890d4f8612db194a0f102749445617893d49aea",
+"6937c4f4be5cab1a694eccefee940c4ab76b0d3d",
+"6937c4f4be5cab1a694eccefee940c4ab76b0d3d",
+"85fab3f9ae03cf33afe60df7f687e48c467abf7e",
+"fc7f0b1126959e0a3f71ea346ea0de3e0e9d8e00",
+"fc7f0b1126959e0a3f71ea346ea0de3e0e9d8e00",
+"85fab3f9ae03cf33afe60df7f687e48c467abf7e",
+"fc7f0b1126959e0a3f71ea346ea0de3e0e9d8e00",
+"fc7f0b1126959e0a3f71ea346ea0de3e0e9d8e00",
+"0b9d7accc6d0425551edbbeb27603d7676a2a1a3",
+"d844a250ff898c706a08a2e91dba227f52124da2",
+"d844a250ff898c706a08a2e91dba227f52124da2",
+"0b9d7accc6d0425551edbbeb27603d7676a2a1a3",
+"d844a250ff898c706a08a2e91dba227f52124da2",
+"d844a250ff898c706a08a2e91dba227f52124da2",
+"4e67194b36ca9e4a4aa87c36624c623d0066e4ea",
+"1041c8f88b5fdb2952405e1994a6c8d36f26eb20",
+"1041c8f88b5fdb2952405e1994a6c8d36f26eb20",
+"4e67194b36ca9e4a4aa87c36624c623d0066e4ea",
+"1041c8f88b5fdb2952405e1994a6c8d36f26eb20",
+"1041c8f88b5fdb2952405e1994a6c8d36f26eb20",
+"1eb9ca36973b8d255140f5e7c7f81697aa5adfe1",
+"540e7bb7a77d6e6bebf6100879670073f081b0e9",
+"540e7bb7a77d6e6bebf6100879670073f081b0e9",
+"1eb9ca36973b8d255140f5e7c7f81697aa5adfe1",
+"540e7bb7a77d6e6bebf6100879670073f081b0e9",
+"540e7bb7a77d6e6bebf6100879670073f081b0e9",
+"e4cc1e6957e59a170aff4973b6ab7df274af4fed",
+"29c02d1fdb368dc909ca74ef711ae5bc978f6194",
+"29c02d1fdb368dc909ca74ef711ae5bc978f6194",
+"e4cc1e6957e59a170aff4973b6ab7df274af4fed",
+"29c02d1fdb368dc909ca74ef711ae5bc978f6194",
+"29c02d1fdb368dc909ca74ef711ae5bc978f6194",
+"eb46f3058d1baa93b341057d2d83766cce8d8e96",
+"cce5322a4826f779488d54c61b7f8dfb41fb9f57",
+"cce5322a4826f779488d54c61b7f8dfb41fb9f57",
+"eb46f3058d1baa93b341057d2d83766cce8d8e96",
+"cce5322a4826f779488d54c61b7f8dfb41fb9f57",
+"cce5322a4826f779488d54c61b7f8dfb41fb9f57",
+"2a0afb10b70599a72450be67459bca868760b0b2",
+"cdc05654c21cbd68c79d81d9ae7bb26fc1c19e30",
+"cdc05654c21cbd68c79d81d9ae7bb26fc1c19e30",
+"2a0afb10b70599a72450be67459bca868760b0b2",
+"cdc05654c21cbd68c79d81d9ae7bb26fc1c19e30",
+"cdc05654c21cbd68c79d81d9ae7bb26fc1c19e30",
+"f999b33519d88ea244192c42635c549033341eb0",
+"48a139a63a8cba24b11fe45ac08976fad310c3cd",
+"48a139a63a8cba24b11fe45ac08976fad310c3cd",
+"f999b33519d88ea244192c42635c549033341eb0",
+"48a139a63a8cba24b11fe45ac08976fad310c3cd",
+"48a139a63a8cba24b11fe45ac08976fad310c3cd",
+"80aac08385b576311649afc91a05a3647acbd6fc",
+"230266e82466584ae822516ed152e9b2814181f6",
+"230266e82466584ae822516ed152e9b2814181f6",
+"80aac08385b576311649afc91a05a3647acbd6fc",
+"230266e82466584ae822516ed152e9b2814181f6",
+"230266e82466584ae822516ed152e9b2814181f6",
+"92218e6de8ee11943895900bee49b2f5f1a0ba69",
+"b1b015aebc22c86fac3815c12861ea46bf417459",
+"b1b015aebc22c86fac3815c12861ea46bf417459",
+"92218e6de8ee11943895900bee49b2f5f1a0ba69",
+"b1b015aebc22c86fac3815c12861ea46bf417459",
+"b1b015aebc22c86fac3815c12861ea46bf417459",
+"3ccbf8182b2f76308f60c3e344fd3786b1ec8619",
+"200b2bf002ca66ec36a9f4d2eaa70102a21cac93",
+"200b2bf002ca66ec36a9f4d2eaa70102a21cac93",
+"3ccbf8182b2f76308f60c3e344fd3786b1ec8619",
+"200b2bf002ca66ec36a9f4d2eaa70102a21cac93",
+"200b2bf002ca66ec36a9f4d2eaa70102a21cac93",
+"903479536adefa864fe9f95e94808ae5a0a9375e",
+"d3e253638e824b0d7d5da534ca4b08595f8a77a9",
+"d3e253638e824b0d7d5da534ca4b08595f8a77a9",
+"903479536adefa864fe9f95e94808ae5a0a9375e",
+"d3e253638e824b0d7d5da534ca4b08595f8a77a9",
+"d3e253638e824b0d7d5da534ca4b08595f8a77a9",
+"a7e4f7074c79ea601a8ce01c424da36a29394246",
+"c3cef2f746e7abaed2aae53432ed7ef4d6fc177b",
+"c3cef2f746e7abaed2aae53432ed7ef4d6fc177b",
+"a7e4f7074c79ea601a8ce01c424da36a29394246",
+"c3cef2f746e7abaed2aae53432ed7ef4d6fc177b",
+"c3cef2f746e7abaed2aae53432ed7ef4d6fc177b",
+"d185a15cdca09f45e499b426f2b1a7ef27b93c65",
+"53b0f9859750ef4120dc3c59dae94f166cf490e8",
+"53b0f9859750ef4120dc3c59dae94f166cf490e8",
+"d185a15cdca09f45e499b426f2b1a7ef27b93c65",
+"53b0f9859750ef4120dc3c59dae94f166cf490e8",
+"53b0f9859750ef4120dc3c59dae94f166cf490e8",
+"2a38de9ece554e053f09adcc83101e7822716957",
+"a270f0cd351390cddfd0a205427ecfc7477c6eac",
+"a270f0cd351390cddfd0a205427ecfc7477c6eac",
+"2a38de9ece554e053f09adcc83101e7822716957",
+"a270f0cd351390cddfd0a205427ecfc7477c6eac",
+"a270f0cd351390cddfd0a205427ecfc7477c6eac",
+"6e1bd107a19eb7bad598a535b68ec99a4230f9c4",
+"31fd15abc83f3d6977d7cead1064081b65264fea",
+"31fd15abc83f3d6977d7cead1064081b65264fea",
+"6e1bd107a19eb7bad598a535b68ec99a4230f9c4",
+"31fd15abc83f3d6977d7cead1064081b65264fea",
+"31fd15abc83f3d6977d7cead1064081b65264fea",
+"b963b04d2821c7cd45ffd5e8700ce323ccbb1311",
+"d0e2fc09187f2446609537149231b0d241c72b4c",
+"d0e2fc09187f2446609537149231b0d241c72b4c",
+"b963b04d2821c7cd45ffd5e8700ce323ccbb1311",
+"d0e2fc09187f2446609537149231b0d241c72b4c",
+"d0e2fc09187f2446609537149231b0d241c72b4c",
+"9511ad84fb413f7b5b25b7b9982fb9f20d85a86c",
+"f3f5049b0660b44f759fe6444081ee8f963862e8",
+"f3f5049b0660b44f759fe6444081ee8f963862e8",
+"9511ad84fb413f7b5b25b7b9982fb9f20d85a86c",
+"f3f5049b0660b44f759fe6444081ee8f963862e8",
+"f3f5049b0660b44f759fe6444081ee8f963862e8",
+"659e6d8cd7876c1d841e1f2cd835187b4d90005e",
+"0575f660be4d504970521af9d940c5e2673e6f55",
+"0575f660be4d504970521af9d940c5e2673e6f55",
+"659e6d8cd7876c1d841e1f2cd835187b4d90005e",
+"0575f660be4d504970521af9d940c5e2673e6f55",
+"0575f660be4d504970521af9d940c5e2673e6f55",
+"5a0600e3f3022ca2a572c2f535202780667dc890",
+"bca44267dc28b0b8ac5ecfc81d5da1f6a8974f3e",
+"bca44267dc28b0b8ac5ecfc81d5da1f6a8974f3e",
+"5a0600e3f3022ca2a572c2f535202780667dc890",
+"bca44267dc28b0b8ac5ecfc81d5da1f6a8974f3e",
+"bca44267dc28b0b8ac5ecfc81d5da1f6a8974f3e",
+"22430fd8f04f9c8430b62745d49af3949a0c3969",
+"fad587ceb801ed5bd1e3a820402e44ad55427a2b",
+"fad587ceb801ed5bd1e3a820402e44ad55427a2b",
+"22430fd8f04f9c8430b62745d49af3949a0c3969",
+"fad587ceb801ed5bd1e3a820402e44ad55427a2b",
+"fad587ceb801ed5bd1e3a820402e44ad55427a2b",
+"0684a0ea1bc6da8aba0c69e2fa97657a24573598",
+"41a2a433e9a9323258f3add05e84740e937677c5",
+"41a2a433e9a9323258f3add05e84740e937677c5",
+"0684a0ea1bc6da8aba0c69e2fa97657a24573598",
+"41a2a433e9a9323258f3add05e84740e937677c5",
+"41a2a433e9a9323258f3add05e84740e937677c5",
+"10094035a607ee3df6d875f41cce079926409b00",
+"de0701164f33842031ba14134035f05990534c0f",
+"de0701164f33842031ba14134035f05990534c0f",
+"10094035a607ee3df6d875f41cce079926409b00",
+"de0701164f33842031ba14134035f05990534c0f",
+"de0701164f33842031ba14134035f05990534c0f",
+"e65674c658dc0060f951315961720809e4ffb7b3",
+"c86841eaae03f0090db9ffacd11d0db574aebf43",
+"c86841eaae03f0090db9ffacd11d0db574aebf43",
+"e65674c658dc0060f951315961720809e4ffb7b3",
+"c86841eaae03f0090db9ffacd11d0db574aebf43",
+"c86841eaae03f0090db9ffacd11d0db574aebf43",
+"122bb9c7c72d134f537beba9425b29d6dab69016",
+"b402d5f3d163ab932000fce7dbfe2c16d64561e5",
+"b402d5f3d163ab932000fce7dbfe2c16d64561e5",
+"122bb9c7c72d134f537beba9425b29d6dab69016",
+"b402d5f3d163ab932000fce7dbfe2c16d64561e5",
+"b402d5f3d163ab932000fce7dbfe2c16d64561e5",
+"e1ac0c9d4c69807bc5fea5900c75b1c7a8f8e0a4",
+"dd7af4dfd19a62982a0d5de8b35e331a481a6aad",
+"dd7af4dfd19a62982a0d5de8b35e331a481a6aad",
+"e1ac0c9d4c69807bc5fea5900c75b1c7a8f8e0a4",
+"dd7af4dfd19a62982a0d5de8b35e331a481a6aad",
+"dd7af4dfd19a62982a0d5de8b35e331a481a6aad",
+"b18fa9e6594faef3247f5624d1bed351d5f65002",
+"35c414a9563608296babbe83d751eefafbba2696",
+"35c414a9563608296babbe83d751eefafbba2696",
+"b18fa9e6594faef3247f5624d1bed351d5f65002",
+"35c414a9563608296babbe83d751eefafbba2696",
+"35c414a9563608296babbe83d751eefafbba2696",
+"45da041fd04e173caa32b6d8006be79d6e12abbc",
+"fc09069b25f42cb8dc6960eea76980a0ea8a768c",
+"fc09069b25f42cb8dc6960eea76980a0ea8a768c",
+"45da041fd04e173caa32b6d8006be79d6e12abbc",
+"fc09069b25f42cb8dc6960eea76980a0ea8a768c",
+"fc09069b25f42cb8dc6960eea76980a0ea8a768c",
+"026e32404ac362a69e30f16d8e296f0019c328d5",
+"0aba89d49b3a32e6be4874b954390a9a50b97d85",
+"0aba89d49b3a32e6be4874b954390a9a50b97d85",
+"026e32404ac362a69e30f16d8e296f0019c328d5",
+"0aba89d49b3a32e6be4874b954390a9a50b97d85",
+"0aba89d49b3a32e6be4874b954390a9a50b97d85",
+"8f2f3c5af309911e0a58f01b03bfe204fcdb222a",
+"2dd2b0caf193a21bd5588985a8c5e8a3a40c4790",
+"2dd2b0caf193a21bd5588985a8c5e8a3a40c4790",
+"8f2f3c5af309911e0a58f01b03bfe204fcdb222a",
+"2dd2b0caf193a21bd5588985a8c5e8a3a40c4790",
+"2dd2b0caf193a21bd5588985a8c5e8a3a40c4790",
+"7f6fc39e9270a2119ce4f5dee21c1545551fb9e4",
+"52d05230724cc874df7c4b4a0bbfd39d4b6085c7",
+"52d05230724cc874df7c4b4a0bbfd39d4b6085c7",
+"7f6fc39e9270a2119ce4f5dee21c1545551fb9e4",
+"52d05230724cc874df7c4b4a0bbfd39d4b6085c7",
+"52d05230724cc874df7c4b4a0bbfd39d4b6085c7",
+"cc153155125660d02bb9fc542bb496668dc6e058",
+"f54bf6a4c6f7c3d0077d152a094e3c7738cf0bd1",
+"f54bf6a4c6f7c3d0077d152a094e3c7738cf0bd1",
+"cc153155125660d02bb9fc542bb496668dc6e058",
+"f54bf6a4c6f7c3d0077d152a094e3c7738cf0bd1",
+"f54bf6a4c6f7c3d0077d152a094e3c7738cf0bd1",
+"db62ba86c86fbfc024df2908ecab10eebab3893d",
+"fcfcf1e45e8d5cdca0450b8dc90754b68e8e4673",
+"fcfcf1e45e8d5cdca0450b8dc90754b68e8e4673",
+"db62ba86c86fbfc024df2908ecab10eebab3893d",
+"fcfcf1e45e8d5cdca0450b8dc90754b68e8e4673",
+"fcfcf1e45e8d5cdca0450b8dc90754b68e8e4673",
+"e57311dc19d624ec0db73b5f4f312f4afe699ffa",
+"f88a948b0fd137d4b14cf5aec0c08066cb07e08d",
+"f88a948b0fd137d4b14cf5aec0c08066cb07e08d",
+"e57311dc19d624ec0db73b5f4f312f4afe699ffa",
+"f88a948b0fd137d4b14cf5aec0c08066cb07e08d",
+"f88a948b0fd137d4b14cf5aec0c08066cb07e08d",
+"53239726e6b5c599f56d7890368e33cc99191ddb",
+"c8c1a9b3ce4d3840538e7918603e9a0d99002545",
+"c8c1a9b3ce4d3840538e7918603e9a0d99002545",
+"53239726e6b5c599f56d7890368e33cc99191ddb",
+"c8c1a9b3ce4d3840538e7918603e9a0d99002545",
+"c8c1a9b3ce4d3840538e7918603e9a0d99002545",
+"e90f4d7e69609567994f20d43c45e4dc74d57070",
+"69599cb14da68fb05ba508d22a751233967bebda",
+"69599cb14da68fb05ba508d22a751233967bebda",
+"e90f4d7e69609567994f20d43c45e4dc74d57070",
+"69599cb14da68fb05ba508d22a751233967bebda",
+"69599cb14da68fb05ba508d22a751233967bebda",
+"913f2649046c764d54f6f9c86336ff555e571e35",
+"6afa1451bdabb3905168af6ee30a4cbb54caf5b1",
+"6afa1451bdabb3905168af6ee30a4cbb54caf5b1",
+"913f2649046c764d54f6f9c86336ff555e571e35",
+"6afa1451bdabb3905168af6ee30a4cbb54caf5b1",
+"6afa1451bdabb3905168af6ee30a4cbb54caf5b1",
+"fd044badaf8a08c40af7b6f633cc270084cb0ca0",
+"08466db9a488f46261453511a3da6462032ddaaf",
+"08466db9a488f46261453511a3da6462032ddaaf",
+"fd044badaf8a08c40af7b6f633cc270084cb0ca0",
+"08466db9a488f46261453511a3da6462032ddaaf",
+"08466db9a488f46261453511a3da6462032ddaaf",
+"c90aaae48ec6775d2dd40fb7c84c2c47332942b9",
+"c2a8776e21403eb00b38bfccd36d1c03dffb009e",
+"c2a8776e21403eb00b38bfccd36d1c03dffb009e",
+"c90aaae48ec6775d2dd40fb7c84c2c47332942b9",
+"c2a8776e21403eb00b38bfccd36d1c03dffb009e",
+"c2a8776e21403eb00b38bfccd36d1c03dffb009e",
+"a1d985e13c07eddfa2721b14f7c9f869b0d733c9",
+"c00cfb456fc6af0376fbea877b742594c443df97",
+"c00cfb456fc6af0376fbea877b742594c443df97",
+"a1d985e13c07eddfa2721b14f7c9f869b0d733c9",
+"c00cfb456fc6af0376fbea877b742594c443df97"
+]);
+DeviceFileEvents  
+| where Timestamp >= ago(1d)
+| where SHA1 in (rclonefilehashes)
+
+```
+## Category
+This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
+| Technique, tactic, or state | Covered? (v=yes) | Notes |
+|------------------------|----------|-------|
+| Initial access |  |  |
+| Execution |  |  |
+| Persistence |  |  | 
+| Privilege escalation |  |  |
+| Defense evasion |  |  | 
+| Credential Access |  |  | 
+| Discovery |  |  | 
+| Lateral movement |  |  | 
+| Collection |  |  | 
+| Command and control |  |  | 
+| Exfiltration | v |  | 
+| Impact |  |  |
+| Vulnerability |  |  |
+| Exploit |  |  |
+| Misconfiguration |  |  |
+| Malware, component |  |  |
+| Ransomware |  |  |
+
+
+## Contributor info
+**Contributor:** LoZio
+**GitHub alias:** LoZio
+**Organization:** H&C Works
+**Contact info:**
diff --git a/Exfiltration/rclone-exfiltration-process.md b/Exfiltration/rclone-exfiltration-process.md
new file mode 100644
index 00000000..bf95f52b
--- /dev/null
+++ b/Exfiltration/rclone-exfiltration-process.md
@@ -0,0 +1,355 @@
+# Find Rclone usages
+RClone (https://rclone.org/) is a tool to send/receive data between local and cloud storage. It is commonly used as an exfiltration vector.   
+This query finds all the processes executed from a RClone distribution package, both for Win32 and Win64, via SHA1 hash of the binary and program properties.   
+All versions from 0.96 to 1.56 (from https://downloads.rclone.org/, latest on Aug 20, 2021) are considered.
+
+This query can be run automatically at some fast pace (like 1h) to generate an alert when an unexpected rclone process is started.
+
+## Query
+```
+let rcloneexeonlyhashes = dynamic([
+"713d4a18177e9091c91a1e885d846e084fd19ebe",
+"c7f41e8349d93f581704fc7d46a0a86451b701bf",
+"713d4a18177e9091c91a1e885d846e084fd19ebe",
+"c7f41e8349d93f581704fc7d46a0a86451b701bf",
+"f11acf701130422f0b291e74a29b5c0c82967e22",
+"575ed20f418d6c84d74c527c40d098c7c145ba49",
+"f11acf701130422f0b291e74a29b5c0c82967e22",
+"575ed20f418d6c84d74c527c40d098c7c145ba49",
+"0774c3fad552dffac99ef4089f9d18838dc391f2",
+"0774c3fad552dffac99ef4089f9d18838dc391f2",
+"9ab49d4dd789eea3f2491406a2cda8ca1eb97999",
+"07da4a6aff4596d286f60c44fc0e340179d080ce",
+"9ab49d4dd789eea3f2491406a2cda8ca1eb97999",
+"07da4a6aff4596d286f60c44fc0e340179d080ce",
+"54e4146c3a72dca28287cfec84dc398d4bf9da66",
+"af3a8302fb7fe9cc8345b52ae45e531ad17b5959",
+"54e4146c3a72dca28287cfec84dc398d4bf9da66",
+"af3a8302fb7fe9cc8345b52ae45e531ad17b5959",
+"7114bd9865f2dfc7651d9fe05ef9fbf5df8affa2",
+"eec2bcb14105ab778ad7c220a40714283a9b9ff7",
+"7114bd9865f2dfc7651d9fe05ef9fbf5df8affa2",
+"eec2bcb14105ab778ad7c220a40714283a9b9ff7",
+"9b7eea8b59a078ec6c0ee2934cfbd45d535e96eb",
+"5bc41e54d81c80ed01ea75c4089678af71c9f964",
+"9b7eea8b59a078ec6c0ee2934cfbd45d535e96eb",
+"5bc41e54d81c80ed01ea75c4089678af71c9f964",
+"587cdd23bf627ad7d326ce1f6ba88a7234bce51d",
+"d4bd849dd9e74b8e6e7300d456ef5b0141dd5b5a",
+"587cdd23bf627ad7d326ce1f6ba88a7234bce51d",
+"d4bd849dd9e74b8e6e7300d456ef5b0141dd5b5a",
+"e512016cbe67dbd7922cc8f2437c2b94fdf4045b",
+"08da698c5c817f1799630c6edc207f049e07b4da",
+"e512016cbe67dbd7922cc8f2437c2b94fdf4045b",
+"08da698c5c817f1799630c6edc207f049e07b4da",
+"e2f09c54f5324b439904b09591fe2084178ab83b",
+"8a739e6cde1d0a7b5cf1e54a5fe21a7b73693d00",
+"e2f09c54f5324b439904b09591fe2084178ab83b",
+"8a739e6cde1d0a7b5cf1e54a5fe21a7b73693d00",
+"7069d578c390c50e2277d174079532b72e5753d4",
+"90f618e7772327c6193cd9df242a3a1c80d70143",
+"7069d578c390c50e2277d174079532b72e5753d4",
+"90f618e7772327c6193cd9df242a3a1c80d70143",
+"fc02d5739e7174fa98a47cd4e32ad8b5d86f37d9",
+"59d76dda2e878942d01e352eb2a1ba938dd0a894",
+"fc02d5739e7174fa98a47cd4e32ad8b5d86f37d9",
+"59d76dda2e878942d01e352eb2a1ba938dd0a894",
+"173b81e84b0dd815f15f650859feebc32ca0e001",
+"ff17f910f6927a634deaeeb29cb1baeb99d08513",
+"173b81e84b0dd815f15f650859feebc32ca0e001",
+"ff17f910f6927a634deaeeb29cb1baeb99d08513",
+"f9abe4d61972a816635df8e365bb310a8e61e65a",
+"df6363ca6e9ff658b929daa31791642efb320c5f",
+"f9abe4d61972a816635df8e365bb310a8e61e65a",
+"df6363ca6e9ff658b929daa31791642efb320c5f",
+"d4a0888b93bca42b3581fc049b0476bbe13d503b",
+"1d24fb905b5bcf910e81d354990dd8e76c6baeb0",
+"d4a0888b93bca42b3581fc049b0476bbe13d503b",
+"1d24fb905b5bcf910e81d354990dd8e76c6baeb0",
+"872348ff87d82dbf47133a080b0154746f540909",
+"2a9673f9c6698ffdc26dc63881b739aa7048e4f7",
+"872348ff87d82dbf47133a080b0154746f540909",
+"2a9673f9c6698ffdc26dc63881b739aa7048e4f7",
+"a87edb3df5e22aad29e32ef8c1c6e01358a6b2c2",
+"ccd1d542390ce2daac302142447727462bf780a1",
+"a87edb3df5e22aad29e32ef8c1c6e01358a6b2c2",
+"ccd1d542390ce2daac302142447727462bf780a1",
+"bf80ee04ef669df2cb65f8ea87825dacde9b612c",
+"47e5264da85973037ea3577651934677f5897927",
+"bf80ee04ef669df2cb65f8ea87825dacde9b612c",
+"47e5264da85973037ea3577651934677f5897927",
+"64d5216d9e039238cf7ccb755ab8efbfca2d24de",
+"bd38a1311858c6bfbf78247572ebde6dc6a4f601",
+"64d5216d9e039238cf7ccb755ab8efbfca2d24de",
+"bd38a1311858c6bfbf78247572ebde6dc6a4f601",
+"086c9ed833769162b84313c5616141e081fece49",
+"adb0112f007874d18bb3389e56bb9593808d9110",
+"086c9ed833769162b84313c5616141e081fece49",
+"adb0112f007874d18bb3389e56bb9593808d9110",
+"916313e0a2e351c82dc99f543ff738fa4cd888f9",
+"32bb3dac48ef079acd62254d901fe4119ddac440",
+"916313e0a2e351c82dc99f543ff738fa4cd888f9",
+"32bb3dac48ef079acd62254d901fe4119ddac440",
+"1fd69a06e8a4530d62c53c62eabc957e7575cd72",
+"24716ddb72d6fb33287b3da2a4d1b3f18ecb9390",
+"1fd69a06e8a4530d62c53c62eabc957e7575cd72",
+"24716ddb72d6fb33287b3da2a4d1b3f18ecb9390",
+"97a0b46efb4d86a5241a104f4a64261b7a80dcd5",
+"44774ad6aa7ac68b48038555ff7e9a8bef66a2a7",
+"97a0b46efb4d86a5241a104f4a64261b7a80dcd5",
+"44774ad6aa7ac68b48038555ff7e9a8bef66a2a7",
+"5c2513d14f2ff15b15e2494dff4b89ff968a9e82",
+"c924530ea27f5a9c15fa8a46fd1b1d10e0681654",
+"5c2513d14f2ff15b15e2494dff4b89ff968a9e82",
+"c924530ea27f5a9c15fa8a46fd1b1d10e0681654",
+"1f76dd9f672b3290ae91ad8f8f19b6c5779e53c3",
+"a9d6536efecfae3925666d858c19a811c4b12a98",
+"1f76dd9f672b3290ae91ad8f8f19b6c5779e53c3",
+"a9d6536efecfae3925666d858c19a811c4b12a98",
+"30350bda781eecee69b8e6e38ff48791e24406ea",
+"af56bb89b9b40c7c490e1979af790ac3e03930a6",
+"30350bda781eecee69b8e6e38ff48791e24406ea",
+"af56bb89b9b40c7c490e1979af790ac3e03930a6",
+"2971fb77060ed53fe093abb4b86341a3e546d6e4",
+"60dfcf54f11dd7e20cdb310e52a35326fe6ef7d3",
+"2971fb77060ed53fe093abb4b86341a3e546d6e4",
+"60dfcf54f11dd7e20cdb310e52a35326fe6ef7d3",
+"493994b0557351bd58535a46e20a88bc5cfa82d7",
+"5e12eee87f1a5cbcdbe525fe7da1d435d5c8e0ce",
+"493994b0557351bd58535a46e20a88bc5cfa82d7",
+"5e12eee87f1a5cbcdbe525fe7da1d435d5c8e0ce",
+"df15b2e543d4126aa67e1a64fc136cc3259a10d8",
+"5b86a86fb66f271f32f4f41f1e0c57bab793826f",
+"df15b2e543d4126aa67e1a64fc136cc3259a10d8",
+"5b86a86fb66f271f32f4f41f1e0c57bab793826f",
+"695130ce7b634cf6b75491385fadde9137fc145c",
+"06de267e53935bac592a801e33ff9c3a5b72f4dd",
+"695130ce7b634cf6b75491385fadde9137fc145c",
+"06de267e53935bac592a801e33ff9c3a5b72f4dd",
+"6202d2e8af574cf41ed0eb15f3dd3800a7d19eb3",
+"75b7ba658ac0df4136a8c99e45a89e8963ee6cb4",
+"6202d2e8af574cf41ed0eb15f3dd3800a7d19eb3",
+"75b7ba658ac0df4136a8c99e45a89e8963ee6cb4",
+"b122a17f59fdacd477aa3d62ab970b0d9d409960",
+"e04eb69ed8fd2913e4f8a975d67b3f153b94532f",
+"b122a17f59fdacd477aa3d62ab970b0d9d409960",
+"e04eb69ed8fd2913e4f8a975d67b3f153b94532f",
+"6c5f10a16ddc155ca3fce274b15d8fade2dbccd5",
+"6dabbbfde6355d2e1dda40daefd512f7a5920a32",
+"6c5f10a16ddc155ca3fce274b15d8fade2dbccd5",
+"6dabbbfde6355d2e1dda40daefd512f7a5920a32",
+"0e678dc1c66e314f01cfa92a80cb39d3d6d9b2a9",
+"32f503544584cec4d138f56ea2128c27444fd66a",
+"0e678dc1c66e314f01cfa92a80cb39d3d6d9b2a9",
+"32f503544584cec4d138f56ea2128c27444fd66a",
+"577dd42cc92de8d3cad62fcee5f5abbe051169ae",
+"fa27d6bb10cd51f5f7f4347b44f75e7979d70efa",
+"577dd42cc92de8d3cad62fcee5f5abbe051169ae",
+"fa27d6bb10cd51f5f7f4347b44f75e7979d70efa",
+"a19af76c5260dc6638fab5a6bf57cf79779032e9",
+"17daa702fe03dc6a77d196eb486eed000436063c",
+"a19af76c5260dc6638fab5a6bf57cf79779032e9",
+"17daa702fe03dc6a77d196eb486eed000436063c",
+"4393bdedd3e0b040c23993c327205daccfdf7f2f",
+"a9f1f5ccd6624f90808b89fa104a0f0d8a68ee5d",
+"4393bdedd3e0b040c23993c327205daccfdf7f2f",
+"a9f1f5ccd6624f90808b89fa104a0f0d8a68ee5d",
+"3890d4f8612db194a0f102749445617893d49aea",
+"6937c4f4be5cab1a694eccefee940c4ab76b0d3d",
+"3890d4f8612db194a0f102749445617893d49aea",
+"6937c4f4be5cab1a694eccefee940c4ab76b0d3d",
+"85fab3f9ae03cf33afe60df7f687e48c467abf7e",
+"fc7f0b1126959e0a3f71ea346ea0de3e0e9d8e00",
+"85fab3f9ae03cf33afe60df7f687e48c467abf7e",
+"fc7f0b1126959e0a3f71ea346ea0de3e0e9d8e00",
+"0b9d7accc6d0425551edbbeb27603d7676a2a1a3",
+"d844a250ff898c706a08a2e91dba227f52124da2",
+"0b9d7accc6d0425551edbbeb27603d7676a2a1a3",
+"d844a250ff898c706a08a2e91dba227f52124da2",
+"4e67194b36ca9e4a4aa87c36624c623d0066e4ea",
+"1041c8f88b5fdb2952405e1994a6c8d36f26eb20",
+"4e67194b36ca9e4a4aa87c36624c623d0066e4ea",
+"1041c8f88b5fdb2952405e1994a6c8d36f26eb20",
+"1eb9ca36973b8d255140f5e7c7f81697aa5adfe1",
+"540e7bb7a77d6e6bebf6100879670073f081b0e9",
+"1eb9ca36973b8d255140f5e7c7f81697aa5adfe1",
+"540e7bb7a77d6e6bebf6100879670073f081b0e9",
+"e4cc1e6957e59a170aff4973b6ab7df274af4fed",
+"29c02d1fdb368dc909ca74ef711ae5bc978f6194",
+"e4cc1e6957e59a170aff4973b6ab7df274af4fed",
+"29c02d1fdb368dc909ca74ef711ae5bc978f6194",
+"eb46f3058d1baa93b341057d2d83766cce8d8e96",
+"cce5322a4826f779488d54c61b7f8dfb41fb9f57",
+"eb46f3058d1baa93b341057d2d83766cce8d8e96",
+"cce5322a4826f779488d54c61b7f8dfb41fb9f57",
+"2a0afb10b70599a72450be67459bca868760b0b2",
+"cdc05654c21cbd68c79d81d9ae7bb26fc1c19e30",
+"2a0afb10b70599a72450be67459bca868760b0b2",
+"cdc05654c21cbd68c79d81d9ae7bb26fc1c19e30",
+"f999b33519d88ea244192c42635c549033341eb0",
+"48a139a63a8cba24b11fe45ac08976fad310c3cd",
+"f999b33519d88ea244192c42635c549033341eb0",
+"48a139a63a8cba24b11fe45ac08976fad310c3cd",
+"80aac08385b576311649afc91a05a3647acbd6fc",
+"230266e82466584ae822516ed152e9b2814181f6",
+"80aac08385b576311649afc91a05a3647acbd6fc",
+"230266e82466584ae822516ed152e9b2814181f6",
+"92218e6de8ee11943895900bee49b2f5f1a0ba69",
+"b1b015aebc22c86fac3815c12861ea46bf417459",
+"92218e6de8ee11943895900bee49b2f5f1a0ba69",
+"b1b015aebc22c86fac3815c12861ea46bf417459",
+"3ccbf8182b2f76308f60c3e344fd3786b1ec8619",
+"200b2bf002ca66ec36a9f4d2eaa70102a21cac93",
+"3ccbf8182b2f76308f60c3e344fd3786b1ec8619",
+"200b2bf002ca66ec36a9f4d2eaa70102a21cac93",
+"903479536adefa864fe9f95e94808ae5a0a9375e",
+"d3e253638e824b0d7d5da534ca4b08595f8a77a9",
+"903479536adefa864fe9f95e94808ae5a0a9375e",
+"d3e253638e824b0d7d5da534ca4b08595f8a77a9",
+"a7e4f7074c79ea601a8ce01c424da36a29394246",
+"c3cef2f746e7abaed2aae53432ed7ef4d6fc177b",
+"a7e4f7074c79ea601a8ce01c424da36a29394246",
+"c3cef2f746e7abaed2aae53432ed7ef4d6fc177b",
+"d185a15cdca09f45e499b426f2b1a7ef27b93c65",
+"53b0f9859750ef4120dc3c59dae94f166cf490e8",
+"d185a15cdca09f45e499b426f2b1a7ef27b93c65",
+"53b0f9859750ef4120dc3c59dae94f166cf490e8",
+"2a38de9ece554e053f09adcc83101e7822716957",
+"a270f0cd351390cddfd0a205427ecfc7477c6eac",
+"2a38de9ece554e053f09adcc83101e7822716957",
+"a270f0cd351390cddfd0a205427ecfc7477c6eac",
+"6e1bd107a19eb7bad598a535b68ec99a4230f9c4",
+"31fd15abc83f3d6977d7cead1064081b65264fea",
+"6e1bd107a19eb7bad598a535b68ec99a4230f9c4",
+"31fd15abc83f3d6977d7cead1064081b65264fea",
+"b963b04d2821c7cd45ffd5e8700ce323ccbb1311",
+"d0e2fc09187f2446609537149231b0d241c72b4c",
+"b963b04d2821c7cd45ffd5e8700ce323ccbb1311",
+"d0e2fc09187f2446609537149231b0d241c72b4c",
+"9511ad84fb413f7b5b25b7b9982fb9f20d85a86c",
+"f3f5049b0660b44f759fe6444081ee8f963862e8",
+"9511ad84fb413f7b5b25b7b9982fb9f20d85a86c",
+"f3f5049b0660b44f759fe6444081ee8f963862e8",
+"659e6d8cd7876c1d841e1f2cd835187b4d90005e",
+"0575f660be4d504970521af9d940c5e2673e6f55",
+"659e6d8cd7876c1d841e1f2cd835187b4d90005e",
+"0575f660be4d504970521af9d940c5e2673e6f55",
+"5a0600e3f3022ca2a572c2f535202780667dc890",
+"bca44267dc28b0b8ac5ecfc81d5da1f6a8974f3e",
+"5a0600e3f3022ca2a572c2f535202780667dc890",
+"bca44267dc28b0b8ac5ecfc81d5da1f6a8974f3e",
+"22430fd8f04f9c8430b62745d49af3949a0c3969",
+"fad587ceb801ed5bd1e3a820402e44ad55427a2b",
+"22430fd8f04f9c8430b62745d49af3949a0c3969",
+"fad587ceb801ed5bd1e3a820402e44ad55427a2b",
+"0684a0ea1bc6da8aba0c69e2fa97657a24573598",
+"41a2a433e9a9323258f3add05e84740e937677c5",
+"0684a0ea1bc6da8aba0c69e2fa97657a24573598",
+"41a2a433e9a9323258f3add05e84740e937677c5",
+"10094035a607ee3df6d875f41cce079926409b00",
+"de0701164f33842031ba14134035f05990534c0f",
+"10094035a607ee3df6d875f41cce079926409b00",
+"de0701164f33842031ba14134035f05990534c0f",
+"e65674c658dc0060f951315961720809e4ffb7b3",
+"c86841eaae03f0090db9ffacd11d0db574aebf43",
+"e65674c658dc0060f951315961720809e4ffb7b3",
+"c86841eaae03f0090db9ffacd11d0db574aebf43",
+"122bb9c7c72d134f537beba9425b29d6dab69016",
+"b402d5f3d163ab932000fce7dbfe2c16d64561e5",
+"122bb9c7c72d134f537beba9425b29d6dab69016",
+"b402d5f3d163ab932000fce7dbfe2c16d64561e5",
+"e1ac0c9d4c69807bc5fea5900c75b1c7a8f8e0a4",
+"dd7af4dfd19a62982a0d5de8b35e331a481a6aad",
+"e1ac0c9d4c69807bc5fea5900c75b1c7a8f8e0a4",
+"dd7af4dfd19a62982a0d5de8b35e331a481a6aad",
+"b18fa9e6594faef3247f5624d1bed351d5f65002",
+"35c414a9563608296babbe83d751eefafbba2696",
+"b18fa9e6594faef3247f5624d1bed351d5f65002",
+"35c414a9563608296babbe83d751eefafbba2696",
+"45da041fd04e173caa32b6d8006be79d6e12abbc",
+"fc09069b25f42cb8dc6960eea76980a0ea8a768c",
+"45da041fd04e173caa32b6d8006be79d6e12abbc",
+"fc09069b25f42cb8dc6960eea76980a0ea8a768c",
+"026e32404ac362a69e30f16d8e296f0019c328d5",
+"0aba89d49b3a32e6be4874b954390a9a50b97d85",
+"026e32404ac362a69e30f16d8e296f0019c328d5",
+"0aba89d49b3a32e6be4874b954390a9a50b97d85",
+"8f2f3c5af309911e0a58f01b03bfe204fcdb222a",
+"2dd2b0caf193a21bd5588985a8c5e8a3a40c4790",
+"8f2f3c5af309911e0a58f01b03bfe204fcdb222a",
+"2dd2b0caf193a21bd5588985a8c5e8a3a40c4790",
+"7f6fc39e9270a2119ce4f5dee21c1545551fb9e4",
+"52d05230724cc874df7c4b4a0bbfd39d4b6085c7",
+"7f6fc39e9270a2119ce4f5dee21c1545551fb9e4",
+"52d05230724cc874df7c4b4a0bbfd39d4b6085c7",
+"cc153155125660d02bb9fc542bb496668dc6e058",
+"f54bf6a4c6f7c3d0077d152a094e3c7738cf0bd1",
+"cc153155125660d02bb9fc542bb496668dc6e058",
+"f54bf6a4c6f7c3d0077d152a094e3c7738cf0bd1",
+"db62ba86c86fbfc024df2908ecab10eebab3893d",
+"fcfcf1e45e8d5cdca0450b8dc90754b68e8e4673",
+"db62ba86c86fbfc024df2908ecab10eebab3893d",
+"fcfcf1e45e8d5cdca0450b8dc90754b68e8e4673",
+"e57311dc19d624ec0db73b5f4f312f4afe699ffa",
+"f88a948b0fd137d4b14cf5aec0c08066cb07e08d",
+"e57311dc19d624ec0db73b5f4f312f4afe699ffa",
+"f88a948b0fd137d4b14cf5aec0c08066cb07e08d",
+"53239726e6b5c599f56d7890368e33cc99191ddb",
+"c8c1a9b3ce4d3840538e7918603e9a0d99002545",
+"53239726e6b5c599f56d7890368e33cc99191ddb",
+"c8c1a9b3ce4d3840538e7918603e9a0d99002545",
+"e90f4d7e69609567994f20d43c45e4dc74d57070",
+"69599cb14da68fb05ba508d22a751233967bebda",
+"e90f4d7e69609567994f20d43c45e4dc74d57070",
+"69599cb14da68fb05ba508d22a751233967bebda",
+"913f2649046c764d54f6f9c86336ff555e571e35",
+"6afa1451bdabb3905168af6ee30a4cbb54caf5b1",
+"913f2649046c764d54f6f9c86336ff555e571e35",
+"6afa1451bdabb3905168af6ee30a4cbb54caf5b1",
+"fd044badaf8a08c40af7b6f633cc270084cb0ca0",
+"08466db9a488f46261453511a3da6462032ddaaf",
+"fd044badaf8a08c40af7b6f633cc270084cb0ca0",
+"08466db9a488f46261453511a3da6462032ddaaf",
+"c90aaae48ec6775d2dd40fb7c84c2c47332942b9",
+"c2a8776e21403eb00b38bfccd36d1c03dffb009e",
+"c90aaae48ec6775d2dd40fb7c84c2c47332942b9",
+"c2a8776e21403eb00b38bfccd36d1c03dffb009e",
+"a1d985e13c07eddfa2721b14f7c9f869b0d733c9",
+"c00cfb456fc6af0376fbea877b742594c443df97",
+"a1d985e13c07eddfa2721b14f7c9f869b0d733c9",
+"c00cfb456fc6af0376fbea877b742594c443df97"
+]);
+let rname = "rclone";
+DeviceProcessEvents  
+| where Timestamp >= ago(1d)
+| where SHA1 in (rcloneexeonlyhashes) or FileName contains rname or ProcessVersionInfoCompanyName contains rname or ProcessVersionInfoCompanyName contains rname
+
+```
+## Category
+This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
+| Technique, tactic, or state | Covered? (v=yes) | Notes |
+|------------------------|----------|-------|
+| Initial access |  |  |
+| Execution |  |  |
+| Persistence |  |  | 
+| Privilege escalation |  |  |
+| Defense evasion |  |  | 
+| Credential Access |  |  | 
+| Discovery |  |  | 
+| Lateral movement |  |  | 
+| Collection |  |  | 
+| Command and control |  |  | 
+| Exfiltration | v |  | 
+| Impact |  |  |
+| Vulnerability |  |  |
+| Exploit |  |  |
+| Misconfiguration |  |  |
+| Malware, component |  |  |
+| Ransomware |  |  |
+
+
+## Contributor info
+**Contributor:** LoZio
+**GitHub alias:** LoZio
+**Organization:** H&C Works
+**Contact info:**