title: Remote File Copy
id: 7a14080d-a048-4de8-ae58-604ce58a795b
status: stable
description: Detects the use of tools that copy files from or to remote systems
author: Ömer Günal
date: 2020/06/18
references:
    - https://attack.mitre.org/techniques/T1105/
logsource:
    product: linux
detection:
    keywords:
        - Scp|contains:
          - 'scp * *@*:*'
          - 'scp *@*:* *'
        - Rsync|contains:
          - 'rsync -r *@*:* *'
          - 'rsync -r * *@*:*'
        - Sftp|contains:
          - 'sftp *@*:* *'
    condition: keywords
falsepositives:
    - Legitimate administration activities
level: low
tags:
    - attack.command_and_control
    - attack.lateral_movement
    - attack.t1105