Detects potential data exfiltration via the rclone utility on Windows endpoints. The rule flags process creation events for rclone.exe when invoked with copy or sync commands, including scenarios where the binary is renamed to evade detection (e.g., TrendFileSecurityCheck.exe). It looks for evidence of data being sent to cloud storage backends or remote HTTP endpoints by analyzing command-line arguments such as --include, --transfers, and destination syntax (e.g., :s3:, http). To reduce noise, it excludes known legitimate usage patterns, such as certain --config paths or executables located under Program Files, and it cross-checks process.original_file_name to detect renamed copies. The rule supports detection across Windows hosts via multiple data sources (e.g., Sysmon, Windows Security Event Logs, and telemetry from endpoint security products) and correlates process activity with outbound network destinations to identify exfiltration activity. The primary technique is Exfiltration Over an Alternative Protocol (T1048) under the Exfiltration tactic (TA0010). The rule includes triage guidance to verify the rclone command line, identify source and destination paths, review include/exclude filters, and confirm whether the activity constitutes legitimate usage. False positives may arise from legitimate backup or sync jobs using rclone; mitigate by allowlisting known rclone paths or configurations. Remediation steps include terminating the rclone process, isolating the host if exfiltration is confirmed, revoking destination credentials (e.g., API keys, tokens), preserving logs for forensics, and rotating any exposed credentials. The rule emphasizes contextual collection (process path, arguments, original file name, and destination patterns) and rapid containment and credential hygiene for suspected exfiltration events.