Techniques
Sample rules
Suspicious Copy From or To System Directory
- source: sigma
- technicques:
- t1036
- t1036.003
Description
Detects a suspicious copy operation that tries to copy a program from system (System32, SysWOW64, WinSxS) directories to another on disk. Often used to move LOLBINs such as ‘certutil’ or ‘desktopimgdownldr’ to a different location with a different name in order to bypass detections based on locations.
Detection logic
condition: 1 of selection_img_* and selection_target and not 1 of filter_optional_*
filter_optional_avira:
CommandLine|contains:
- C:\Program Files\Avira\
- C:\Program Files (x86)\Avira\
CommandLine|contains|all:
- /c copy
- \Temp\
- \avira_system_speedup.exe
Image|endswith: \cmd.exe
selection_img_cmd:
CommandLine|contains: 'copy '
Image|endswith: \cmd.exe
selection_img_other:
- Image|endswith:
- \robocopy.exe
- \xcopy.exe
- OriginalFileName:
- robocopy.exe
- XCOPY.EXE
selection_img_pwsh:
CommandLine|contains:
- copy-item
- ' copy '
- 'cpi '
- ' cp '
Image|endswith:
- \powershell_ise.exe
- \powershell.exe
- \pwsh.exe
selection_target:
CommandLine|contains:
- \System32
- \SysWOW64
- \WinSxS