Remote File Copy
Detects the use of tools that copy files from or to remote systems
Sigma rule (View on GitHub)
1title: Remote File Copy
2id: 7a14080d-a048-4de8-ae58-604ce58a795b
3status: stable
4description: Detects the use of tools that copy files from or to remote systems
5references:
6 - https://www.cisa.gov/stopransomware/ransomware-guide
7author: Ömer Günal
8date: 2020-06-18
9tags:
10 - attack.command-and-control
11 - attack.lateral-movement
12 - attack.t1105
13logsource:
14 product: linux
15detection:
16 tools:
17 - 'scp '
18 - 'rsync '
19 - 'sftp '
20 filter:
21 - '@'
22 - ':'
23 condition: tools and filter
24falsepositives:
25 - Legitimate administration activities
26level: low
References
-
Updated in May 2023, the joint #StopRansomware Guide includes industry best practices and a response checklist that can serve as an addendum to organization cyber incident response plans specific to ransomware and data extortion.
Read More
Related rules
- Cisco Stage Data
- Suspicious Deno File Written from Remote Source
- Hidden Flag Set On File/Directory Via Chflags - MacOS
- Insensitive Subfolder Search Via Findstr.EXE
- Remote File Download Via Findstr.EXE