Remote File Copy

 1title: Remote File Copy
 2id: 7a14080d-a048-4de8-ae58-604ce58a795b
 3status: stable
 4description: Detects the use of tools that copy files from or to remote systems
 5references:
 6    - https://attack.mitre.org/techniques/T1105/
 7author: Ömer Günal
 8date: 2020/06/18
 9tags:
10    - attack.command_and_control
11    - attack.lateral_movement
12    - attack.t1105
13logsource:
14    product: linux
15detection:
16    tools:
17        - 'scp '
18        - 'rsync '
19        - 'sftp '
20    filter:
21        - '@'
22        - ':'
23    condition: tools and filter
24falsepositives:
25    - Legitimate administration activities
26level: low

References

• Ingress Tool Transfer, Technique T1105 - Enterprise | MITRE ATT&CK®

  C0028 2015 Ukraine Electric Power Attack During the 2015 Ukraine Electric Power Attack, Sandworm Team pushed additional malicious tools onto an infected system to steal user credentials, move later...

  
  Read More

Related rules

• Register new Logon Process by Rubeus
• SMB Spoolss Name Piped Usage
• Abuse of the Windows Server Update Services (WSUS) for lateral movement.