LoFP LoFP / when cmd.exe and xcopy.exe are called directly

Techniques

Sample rules

Suspicious Copy From or To System Directory

Description

Detects a suspicious copy operation that tries to copy a program from system (System32, SysWOW64, WinSxS) directories to another on disk. Often used to move LOLBINs such as ‘certutil’ or ‘desktopimgdownldr’ to a different location with a different name in order to bypass detections based on locations.

Detection logic

condition: 1 of selection_img_* and selection_target and not 1 of filter_optional_*
filter_optional_avira:
  CommandLine|contains:
  - C:\Program Files\Avira\
  - C:\Program Files (x86)\Avira\
  CommandLine|contains|all:
  - /c copy
  - \Temp\
  - \avira_system_speedup.exe
  Image|endswith: \cmd.exe
selection_img_cmd:
  CommandLine|contains: 'copy '
  Image|endswith: \cmd.exe
selection_img_other:
- Image|endswith:
  - \robocopy.exe
  - \xcopy.exe
- OriginalFileName:
  - robocopy.exe
  - XCOPY.EXE
selection_img_pwsh:
  CommandLine|contains:
  - copy-item
  - ' copy '
  - 'cpi '
  - ' cp '
  Image|endswith:
  - \powershell_ise.exe
  - \powershell.exe
  - \pwsh.exe
selection_target:
  CommandLine|contains:
  - \System32
  - \SysWOW64
  - \WinSxS