← Back to Explore
jamf_protectinformationalTTP
SCP File Copied to Remote Destination
This detection functions by monitoring and reporting when scp is used to copy a file to a remote destination.
Detection Query
$event.process.path.lastPathComponent == "scp" AND $event.type == 1 AND $event.process.args.@count > 1 AND (ANY $event.process.args MATCHES ".*@.*")Author
Jamf
Data Sources
Process EventsmacOS Endpoint Security
Platforms
macos
Tags
VisibilityExfiltration
Raw Content
---
name: ScpFileCopiedRemoteDestination
uuid: cbf317a8-7d93-4464-bba6-667aa8c2813f
longDescription: This detection functions by monitoring and reporting when scp is used to copy a file to a remote destination.
level: 0
inputType: GPProcessEvent
tags:
snapshotFiles: []
filter: $event.process.path.lastPathComponent == "scp" AND
$event.type == 1 AND
$event.process.args.@count > 1 AND
(ANY $event.process.args MATCHES ".*@.*")
actions:
- name: Log
context:
- exprs:
- (event.process.args)[1]
name: Source File
type: File
- exprs:
- (event.process.args)[LAST]
name: Destination
type: String
categories:
- Visibility
version: 1
severity: Informational
shortDescription: The scp binary has been used to transfer a file to a remote destination.
label: SCP File Copied to Remote Destination
remediation: null
MitreCategories:
- Exfiltration