valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 17:35:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
81d1bb0e2b
SigmaHQ/rules/linux/lnx_file_copy.yml

27 lines
595 B
YAML
Raw Normal View History

Remote file copy
2020-06-18 20:37:49 +00:00
title: Remote File Copy
id: 7a14080d-a048-4de8-ae58-604ce58a795b
Fixed my git issue
2020-09-14 04:03:04 +00:00
status: stable
Update lnx_file_copy.yml
2020-07-03 09:32:49 +00:00
description: Detects the use of tools that copy files from or to remote systems
Remote file copy
2020-06-18 20:37:49 +00:00
author: Ömer Günal
date: 2020/06/18
Fixed my git issue
2020-09-14 04:03:04 +00:00
references:
- https://attack.mitre.org/techniques/T1105/
Remote file copy
2020-06-18 20:37:49 +00:00
logsource:
product: linux
detection:
fix: Correct broken rules, add documentation
2021-08-13 13:46:30 +00:00
tools:
- 'scp '
- 'rsync '
- 'sftp '
Update lnx_file_copy.yml
2020-10-16 01:53:20 +00:00
filter:
fix: Correct incorrect message / keyword usage Correct a number of rules where message or keyword were incorrectly used as field names in events (typically windows event logs). However, neither field actually exists and as such these strings could never match.
2021-08-12 12:03:18 +00:00
- '@'
- ':'
fix: Correct broken rules, add documentation
2021-08-13 13:46:30 +00:00
condition: tools and filter
Remote file copy
2020-06-18 20:37:49 +00:00
falsepositives:
- Legitimate administration activities
Fixed my git issue
2020-09-14 04:03:04 +00:00
level: low
tags:
- attack.command_and_control
- attack.lateral_movement
Update lnx_file_copy.yml
2020-10-16 01:53:20 +00:00
- attack.t1105
Reference in New Issue Copy Permalink