Suspicious Copy From or To System Directory
Detects a suspicious copy operation that tries to copy a program from system (System32, SysWOW64, WinSxS) directories to another on disk. Often used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
detection:
selection_img_cmd:
Image|endswith: '\cmd.exe'
CommandLine|contains: 'copy '
selection_img_pwsh:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains:
- 'copy-item'
- ' copy '
- 'cpi '
- ' cp '
selection_img_other:
- Image|endswith:
- '\robocopy.exe'
- '\xcopy.exe'
- OriginalFileName:
- 'robocopy.exe'
- 'XCOPY.EXE'
selection_target:
CommandLine|re|i: \s['"]?C:\\Windows\\(System32|SysWOW64|WinSxS)
filter_optional_avira:
Image|endswith: '\cmd.exe'
CommandLine|contains|all:
- '/c copy'
- '\Temp\'
- '\avira_system_speedup.exe'
CommandLine|contains:
- 'C:\Program Files\Avira\'
- 'C:\Program Files (x86)\Avira\'
condition: 1 of selection_img_* and selection_target and not 1 of filter_optional_*Depend on scripts and administrative tools used in the monitored environment (For example an admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/)
When cmd.exe and xcopy.exe are called directly
When the command contains the keywords but not in the correct order
Tactics
Sub-techniques