This detection rule identifies the creation of Rclone configuration files on Windows systems. Rclone is a powerful command-line program that facilitates the management of files across cloud storage services, and its config files can provide an attacker with easy access to sensitive data. The rule utilizes file event logs to monitor for the presence of configuration files typically located in the user's profile directory under `.config/rclone/`. By setting a rule to trigger upon the creation of any file that matches this path, the detection aims to highlight potentially unauthorized or malicious uses of Rclone, particularly in scenarios involving data exfiltration. While Rclone is a legitimate tool for many organizations, its capability to facilitate exfiltration mandates careful monitoring, as its misuse can result in significant data breaches and loss of sensitive information.