Techniques
Sample rules
Suspicious Copy on System32
- source: splunk
- technicques:
- T1036.003
- T1036
Description
This analytic is to detect a suspicious copy of file from systemroot folder of the windows OS. This technique is commonly used by APT or other malware as part of execution (LOLBIN) to run its malicious code using the available legitimate tool in OS. this type of event may seen or may execute of normal user in some instance but this is really a anomaly that needs to be check within the network.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN("cmd.exe", "powershell*","pwsh.exe", "sqlps.exe", "sqltoolsps.exe", "powershell_ise.exe") AND `process_copy` AND Processes.process IN("*\\Windows\\System32\\*", "*\\Windows\\SysWow64\\*") AND Processes.process = "*copy*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id temp
| `drop_dm_object_name(Processes)`
| eval splitted_commandline=split(process," ")
| eval first_cmdline=lower(mvindex(splitted_commandline,0))
| where NOT LIKE(first_cmdline,"%\\windows\\system32\\%") AND NOT LIKE(first_cmdline,"%\\windows\\syswow64\\%")
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`suspicious_copy_on_system32_filter`