sigmalowTTP

Remote File Copy

Detects the use of tools that copy files from or to remote systems

MITRE ATT&CK

command-and-controllateral-movement

Detection Query

tools:
  - "scp "
  - "rsync "
  - "sftp "
filter:
  - "@"
  - ":"
condition: tools and filter

Author

Ömer Günal

Created

2020-06-18

Data Sources

linux

Platforms

linux

References

https://www.cisa.gov/stopransomware/ransomware-guide

Tags

attack.command-and-controlattack.lateral-movementattack.t1105

Raw Content

title: Remote File Copy
id: 7a14080d-a048-4de8-ae58-604ce58a795b
status: stable
description: Detects the use of tools that copy files from or to remote systems
references:
    - https://www.cisa.gov/stopransomware/ransomware-guide
author: Ömer Günal
date: 2020-06-18
tags:
    - attack.command-and-control
    - attack.lateral-movement
    - attack.t1105
logsource:
    product: linux
detection:
    tools:
        - 'scp '
        - 'rsync '
        - 'sftp '
    filter:
        - '@'
        - ':'
    condition: tools and filter
falsepositives:
    - Legitimate administration activities
level: low