Remote File Copy
Detects the use of tools that copy files from or to remote systems
Sigma rule (View on GitHub)
1title: Remote File Copy
2id: 7a14080d-a048-4de8-ae58-604ce58a795b
3status: stable
4description: Detects the use of tools that copy files from or to remote systems
5references:
6 - https://attack.mitre.org/techniques/T1105/
7author: Ömer Günal
8date: 2020/06/18
9tags:
10 - attack.command_and_control
11 - attack.lateral_movement
12 - attack.t1105
13logsource:
14 product: linux
15detection:
16 tools:
17 - 'scp '
18 - 'rsync '
19 - 'sftp '
20 filter:
21 - '@'
22 - ':'
23 condition: tools and filter
24falsepositives:
25 - Legitimate administration activities
26level: low
References
Related rules
- Register new Logon Process by Rubeus
- SMB Spoolss Name Piped Usage
- Abuse of the Windows Server Update Services (WSUS) for lateral movement.