SigmaHQ/rules/linux/lnx_file_copy.yml

title: Remote File Copy
id: 7a14080d-a048-4de8-ae58-604ce58a795b
status: stable
description: Detects the use of tools that copy files from or to remote systems
author: Ömer Günal
date: 2020/06/18
references:
    - https://attack.mitre.org/techniques/T1105/
logsource:
    product: linux
detection:
    keywords:
        - Scp|contains:
          - 'scp * *@*:*'
          - 'scp *@*:* *'
        - Rsync|contains:
          - 'rsync -r *@*:* *'
          - 'rsync -r * *@*:*'
        - Sftp|contains:
          - 'sftp *@*:* *'
    condition: keywords
falsepositives:
    - Legitimate administration activities
level: low
tags:
    - attack.command_and_control
    - attack.lateral_movement
    - attack.t1105
Remote file copy 2020-06-18 20:37:49 +00:00			`title: Remote File Copy`
			`id: 7a14080d-a048-4de8-ae58-604ce58a795b`
Fixed my git issue 2020-09-14 04:03:04 +00:00			`status: stable`
Update lnx_file_copy.yml 2020-07-03 09:32:49 +00:00			`description: Detects the use of tools that copy files from or to remote systems`
Remote file copy 2020-06-18 20:37:49 +00:00			`author: Ömer Günal`
			`date: 2020/06/18`
Fixed my git issue 2020-09-14 04:03:04 +00:00			`references:`
			`- https://attack.mitre.org/techniques/T1105/`
Remote file copy 2020-06-18 20:37:49 +00:00			`logsource:`
			`product: linux`
			`detection:`
			`keywords:`
			`- Scp\|contains:`
			`- 'scp * @:*'`
			`- 'scp @:* *'`
			`- Rsync\|contains:`
			`- 'rsync -r @:* *'`
			`- 'rsync -r * @:*'`
			`- Sftp\|contains:`
			`- 'sftp @:* *'`
			`condition: keywords`
			`falsepositives:`
			`- Legitimate administration activities`
Fixed my git issue 2020-09-14 04:03:04 +00:00			`level: low`
			`tags:`
			`- attack.command_and_control`
			`- attack.lateral_movement`
			`- attack.t1105`