Techniques
Sample rules
Suspicious Copy on System32
- source: splunk
- technicques:
- T1036.003
- T1036
Description
The following analytic detects suspicious file copy operations from the System32 or SysWow64 directories, often indicative of malicious activity. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes initiated by command-line tools like cmd.exe or PowerShell. This behavior is significant as it may indicate an attempt to execute malicious code using legitimate system tools (LOLBIN). If confirmed malicious, this activity could allow an attacker to execute arbitrary code, potentially leading to system compromise or further lateral movement within the network.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN("cmd.exe", "powershell*","pwsh.exe", "sqlps.exe", "sqltoolsps.exe", "powershell_ise.exe") AND `process_copy` AND Processes.process IN("*\\Windows\\System32\\*", "*\\Windows\\SysWow64\\*") AND Processes.process = "*copy*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id temp
| `drop_dm_object_name(Processes)`
| eval splitted_commandline=split(process," ")
| eval first_cmdline=lower(mvindex(splitted_commandline,0))
| where NOT LIKE(first_cmdline,"%\\windows\\system32\\%") AND NOT LIKE(first_cmdline,"%\\windows\\syswow64\\%")
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`suspicious_copy_on_system32_filter`