Remote File Copy

2024-11-07 01:45:21 +00:00 · 2020-06-18 23:36:29 +03:00 · 2020-06-18 23:36:29 +03:00 · a963630db8
commit a963630db8
parent 3a607abe33
1 changed files with 28 additions and 0 deletions
--- a/rules/linux/lnx_file_copy.yml
+++ b/rules/linux/lnx_file_copy.yml
@ -0,0 +1,28 @@
+title: Remote File Copy
+id: 7a14080d-a048-4de8-ae58-604ce58a795b
+description: Detects using remote file copy tools
+references:
+    - https://attack.mitre.org/techniques/T1105/
+author: Ömer Günal
+date: 2020/06/18
+tags:
+    - attack.command_and_control
+    - attack.laterel_movement
+    - attack.t1105
+level: low
+logsource:
+    product: linux
+detection:
+    keywords:
+        - Scp|contains:
+          - 'scp * *@*:*'
+          - 'scp *@*:* *'
+        - Rsync|contains:
+          - 'rsync -r *@*:* *'
+          - 'rsync -r * *@*:*'
+        - Sftp|contains:
+          - 'sftp *@*:* *'
+          - 'sftp *@*:* *'
+    condition: keywords
+falsepositives:
+    - Legitimate administration activities