From c6c455a3ec2ef9761fc7605249d504a83512a335 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= <o.gunal977@gmail.com>
Date: Thu, 18 Jun 2020 23:37:49 +0300
Subject: [PATCH] Remote file copy

---
 rules/linux/lnx_file_copy.yml | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 rules/linux/lnx_file_copy.yml

diff --git a/rules/linux/lnx_file_copy.yml b/rules/linux/lnx_file_copy.yml
new file mode 100644
index 00000000000..0a1a8995b9f
--- /dev/null
+++ b/rules/linux/lnx_file_copy.yml
@@ -0,0 +1,28 @@
+title: Remote File Copy
+id: 7a14080d-a048-4de8-ae58-604ce58a795b
+description: Detects using remote file copy tools
+references:
+    - https://attack.mitre.org/techniques/T1105/
+author: Ömer Günal
+date: 2020/06/18
+tags:
+    - attack.command_and_control
+    - attack.laterel_movement
+    - attack.t1105
+level: low
+logsource:
+    product: linux
+detection:
+    keywords:
+        - Scp|contains:
+          - 'scp * *@*:*'
+          - 'scp *@*:* *'
+        - Rsync|contains:
+          - 'rsync -r *@*:* *'
+          - 'rsync -r * *@*:*'
+        - Sftp|contains:
+          - 'sftp *@*:* *'
+          - 'sftp *@*:* *'
+    condition: keywords
+falsepositives:
+    - Legitimate administration activities