← Back to SOC feed Coverage →

PUA - Restic Backup Tool Execution

sigma HIGH SigmaHQ
T1048T1567.002
imProcessCreate
backdoor
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-17T11:00:00Z · Confidence: low

Hunt Hypothesis

Detects the execution of the Restic backup tool, which can be used for data exfiltration. Threat actors may leverage Restic to back up and exfiltrate sensitive data to remote storage locations, includ

Detection Rule

Sigma (Original)

title: PUA - Restic Backup Tool Execution
id: 6ddff2e8-ea1a-45d0-8938-93dfc1d67ae7
status: experimental
description: |
    Detects the execution of the Restic backup tool, which can be used for data exfiltration.
    Threat actors may leverage Restic to back up and exfiltrate sensitive data to remote storage locations, including cloud services.
    If not legitimately used in the enterprise environment, its presence may indicate malicious activity.
references:
    - https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/#exfiltration
    - https://restic.net/
    - https://restic.readthedocs.io/en/stable/030_preparing_a_new_repo.html
author: Nounou Mbeiri, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-17
tags:
    - attack.exfiltration
    - attack.t1048
    - attack.t1567.002
logsource:
    product: windows
    category: process_creation
detection:
    selection_specific:
        - CommandLine|contains|all:
              - '--password-file'
              - 'init'
              - ' -r '
        - CommandLine|contains|all:
              - '--use-fs-snapshot'
              - 'backup'
              - ' -r '
    selection_restic:
        CommandLine|contains:
            - 'sftp:'
            - 'rest:http'
            - 's3:s3.'
            - 's3.http'
            - 'azure:'
            - ' gs:'
            - 'rclone:'
            - 'swift:'
            - ' b2:'
        CommandLine|contains|all:
            - ' init '
            - ' -r '
    condition: 1 of selection_*
falsepositives:
    - Legitimate use of Restic for backup purposes within the organization.
level: high

KQL (Azure Sentinel)

imProcessCreate
| where ((TargetProcessCommandLine contains "--password-file" and TargetProcessCommandLine contains "init" and TargetProcessCommandLine contains " -r ") or (TargetProcessCommandLine contains "--use-fs-snapshot" and TargetProcessCommandLine contains "backup" and TargetProcessCommandLine contains " -r ")) or ((TargetProcessCommandLine contains "sftp:" or TargetProcessCommandLine contains "rest:http" or TargetProcessCommandLine contains "s3:s3." or TargetProcessCommandLine contains "s3.http" or TargetProcessCommandLine contains "azure:" or TargetProcessCommandLine contains " gs:" or TargetProcessCommandLine contains "rclone:" or TargetProcessCommandLine contains "swift:" or TargetProcessCommandLine contains " b2:") and (TargetProcessCommandLine contains " init " and TargetProcessCommandLine contains " -r "))

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_pua_restic.yml