title: Remote File Copy
id: 7a14080d-a048-4de8-ae58-604ce58a795b
status: stable
description: Detects the use of tools that copy files from or to remote systems
author: Ömer Günal
date: 2020/06/18
references:
    - https://attack.mitre.org/techniques/T1105/
logsource:
    product: linux
detection:
    tools:
        - 'scp '
        - 'rsync '
        - 'sftp '
    filter:
        - '@'
        - ':'
    condition: tools and filter
falsepositives:
    - Legitimate administration activities
level: low
tags:
    - attack.command_and_control
    - attack.lateral_movement
    - attack.t1105