Detectionhightest
LOL-Binary Copied From System Directory
Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Tue Aug 29Updated Thu Nov 27f5d19838-41b5-476c-98d8-ba8af4929ee2windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic5 selectors
detection:
selection_tools_cmd:
Image|endswith: '\cmd.exe'
CommandLine|contains: 'copy '
selection_tools_pwsh:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains:
- 'copy-item'
- ' copy '
- 'cpi '
- ' cp '
selection_tools_other:
- Image|endswith:
- '\robocopy.exe'
- '\xcopy.exe'
- OriginalFileName:
- 'robocopy.exe'
- 'XCOPY.EXE'
selection_target_path:
CommandLine|contains:
- '\System32'
- '\SysWOW64'
- '\WinSxS'
selection_target_lolbin:
CommandLine|contains:
# Note: add more binaries to increase coverage
- '\bitsadmin.exe'
- '\calc.exe'
- '\certutil.exe'
- '\cmdl32.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\rundll32.exe'
- '\wscript.exe'
- '\ie4uinit.exe'
condition: 1 of selection_tools_* and all of selection_target_*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
f5d19838-41b5-476c-98d8-ba8af4929ee2
Status
test
Level
high
Type
Detection
Created
Tue Aug 29
Modified
Thu Nov 27
Path
rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml
Raw Tags
attack.defense-evasionattack.t1036.003