rules/linux/lnx_file_copy.yml

title: Remote File Copy
id: 7a14080d-a048-4de8-ae58-604ce58a795b
status: stable
description: Detects the use of tools that copy files from or to remote systems
author: Ömer Günal
date: 2020/06/18
references:
    - https://attack.mitre.org/techniques/T1105/
logsource:
    product: linux
detection:
    tools:
        - 'scp '
        - 'rsync '
        - 'sftp '
    filter:
        - '@'
        - ':'
    condition: tools and filter
falsepositives:
    - Legitimate administration activities
level: low
tags:
    - attack.command_and_control
    - attack.lateral_movement
    - attack.t1105
Remote file copy 2020-06-18 23:37:49 +03:00			`title: Remote File Copy`
			`id: 7a14080d-a048-4de8-ae58-604ce58a795b`
Fixed my git issue 2020-09-13 22:03:04 -06:00			`status: stable`
Update lnx_file_copy.yml 2020-07-03 11:32:49 +02:00			`description: Detects the use of tools that copy files from or to remote systems`
Remote file copy 2020-06-18 23:37:49 +03:00			`author: Ömer Günal`
			`date: 2020/06/18`
Fixed my git issue 2020-09-13 22:03:04 -06:00			`references:`
			`- https://attack.mitre.org/techniques/T1105/`
Remote file copy 2020-06-18 23:37:49 +03:00			`logsource:`
			`product: linux`
			`detection:`
fix: Correct broken rules, add documentation 2021-08-13 15:46:30 +02:00			`tools:`
			`- 'scp '`
			`- 'rsync '`
			`- 'sftp '`
Update lnx_file_copy.yml 2020-10-15 22:53:20 -03:00			`filter:`
fix: Correct incorrect message / keyword usage 2021-08-12 14:03:18 +02:00			`- '@'`
			`- ':'`
fix: Correct broken rules, add documentation 2021-08-13 15:46:30 +02:00			`condition: tools and filter`
Remote file copy 2020-06-18 23:37:49 +03:00			`falsepositives:`
			`- Legitimate administration activities`
Fixed my git issue 2020-09-13 22:03:04 -06:00			`level: low`
			`tags:`
			`- attack.command_and_control`
			`- attack.lateral_movement`
Update lnx_file_copy.yml 2020-10-15 22:53:20 -03:00			`- attack.t1105`