title: Remote File Copy
id: 7a14080d-a048-4de8-ae58-604ce58a795b
status: stable
description: Detects the use of tools that copy files from or to remote systems
author: Ömer Günal
date: 2020/06/18
references:
    - https://attack.mitre.org/techniques/T1105/
logsource:
    product: linux
detection:
    keywords:
        - Scp|contains:
          - 'scp'
        - Rsync|contains:
          - 'rsync -r'
        - Sftp|contains:
          - 'sftp'
    filter:
        message|contains|all:
          - '@'
          - ':'
    condition: keywords and filter
falsepositives:
    - Legitimate administration activities
level: low
tags:
    - attack.command_and_control
    - attack.lateral_movement
    - attack.t1105