Detectionlowstable

Remote File Copy

Detects the use of tools that copy files from or to remote systems

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Ömer GünalCreated Thu Jun 187a14080d-a048-4de8-ae58-604ce58a795blinux

Log Source

Linux

ProductLinux← raw: linux

Detection Logic

detection:
    tools:
        - 'scp '
        - 'rsync '
        - 'sftp '
    filter:
        - '@'
        - ':'
    condition: tools and filter

False Positives

Legitimate administration activities

References

MITRE ATT&CK

Tactics

Techniques

Rule Metadata

Rule ID

7a14080d-a048-4de8-ae58-604ce58a795b

Status

stable

Level

low

Type

Detection

Created

Thu Jun 18

Author

Path

rules/linux/builtin/lnx_file_copy.yml

Raw Tags

attack.command-and-controlattack.lateral-movementattack.t1105