Merge pull request #1 from omergunal/omergunal-patch-1

Remote file copy
veritasr3x · Jun 18, 2020 · 93719d8 · 93719d8
2 parents 40a07a2 + c6c455a
commit 93719d8
Showing 1 changed file with 28 additions and 0 deletions.
diff --git a/rules/linux/lnx_file_copy.yml b/rules/linux/lnx_file_copy.yml
@@ -0,0 +1,28 @@
+title: Remote File Copy
+id: 7a14080d-a048-4de8-ae58-604ce58a795b
+description: Detects using remote file copy tools
+references:
+    - https://attack.mitre.org/techniques/T1105/
+author: Ömer Günal
+date: 2020/06/18
+tags:
+    - attack.command_and_control
+    - attack.laterel_movement
+    - attack.t1105
+level: low
+logsource:
+    product: linux
+detection:
+    keywords:
+        - Scp|contains:
+          - 'scp * *@*:*'
+          - 'scp *@*:* *'
+        - Rsync|contains:
+          - 'rsync -r *@*:* *'
+          - 'rsync -r * *@*:*'
+        - Sftp|contains:
+          - 'sftp *@*:* *'
+          - 'sftp *@*:* *'
+    condition: keywords
+falsepositives:
+    - Legitimate administration activities