kqlElastic-2.0from elastic/detection-rules
Unusual Remote File Creation
Quality
92
FP risk
—
Forks
0
Views
0
Rule sourcerules/linux/lateral_movement_unusual_remote_file_creation.toml
event.category:file and host.os.type:linux and event.action:creation and
process.name:(scp or ftp or sftp or vsftpd or sftp-server or sync) and
not (
file.path:(
/dev/ptmx or /run/* or /var/run/* or /home/*/.ansible/*AnsiballZ_*.py or /home/*/.ansible/tmp/ansible-tmp* or
/root/.ansible/*AnsiballZ_*.py or /tmp/ansible-chief/ansible-tmp*AnsiballZ_*.py or
/tmp/newroot/home/*/.ansible/tmp/ansible-tmp*AnsiballZ_*.py or /tmp/.ansible/tmp/ansible-tmp*AnsiballZ_*.py or
/tmp/ansible-tmp-*/AnsiballZ_*.py or /tmp/.ansible/ansible-tmp-*AnsiballZ_*.py or /var/tmp/ansible-tmp-* or
/tmp/.ansible/ansible-tmp-*/.source or /root/.ansible/tmp/ansible-tmp-*/.source
) or
file.extension:(filepart or yaml or new or rpm or deb)
)