Remote File Copy
Detects the use of tools that copy files from or to remote systems
Sigma rule (View on GitHub)
1title: Remote File Copy
2id: 7a14080d-a048-4de8-ae58-604ce58a795b
3status: stable
4description: Detects the use of tools that copy files from or to remote systems
5references:
6 - https://attack.mitre.org/techniques/T1105/
7author: Ömer Günal
8date: 2020-06-18
9tags:
10 - attack.command-and-control
11 - attack.lateral-movement
12 - attack.t1105
13logsource:
14 product: linux
15detection:
16 tools:
17 - 'scp '
18 - 'rsync '
19 - 'sftp '
20 filter:
21 - '@'
22 - ':'
23 condition: tools and filter
24falsepositives:
25 - Legitimate administration activities
26level: low
References
-
C0028 2015 Ukraine Electric Power Attack During the 2015 Ukraine Electric Power Attack, Sandworm Team pushed additional malicious tools onto an infected system to steal user credentials, move later...
Read More
Related rules
- Cisco Stage Data
- AppX Package Installation Attempts Via AppInstaller.EXE
- Arbitrary File Download Via GfxDownloadWrapper.EXE
- Browser Execution In Headless Mode
- Command Line Execution with Suspicious URL and AppData Strings