This detection rule is focused on identifying potential file transfers using Secure Copy Protocol (SCP), which are commonly associated with the threat actor group Lazarus. The rule leverages EDR logs to flag instances where the SCP command is executed on Linux or macOS platforms within the last two hours. It specifically looks for processes that match a regular expression indicating the use of 'scp' or 'ssh' commands. The rule is designed to help detect lateral movement, command and control activity, and exfiltration attempts that might abuse SCP for transferring files. The contextual threat techniques associated with this rule suggest that such file transfers may either be part of a lateral movement strategy or involve the transfer of data to a non-standard command and control location, which can facilitate illicit data exfiltration.