when cmd.exe and xcopy.exe are called directly

t1036
t1036.003
windows
sigma

Techniques

t1036
t1036.003

Sample rules

Suspicious Copy From or To System Directory

source: sigma
technicques:
- t1036
- t1036.003

Description

Detects a suspicious copy operation that tries to copy a program from system (System32, SysWOW64, WinSxS) directories to another on disk. Often used to move LOLBINs such as ‘certutil’ or ‘desktopimgdownldr’ to a different location with a different name in order to bypass detections based on locations.

Detection logic

condition: 1 of selection_* and target
selection_cmd:
  CommandLine|contains: 'copy '
  Image|endswith: \cmd.exe
selection_other:
- Image|endswith:
  - \robocopy.exe
  - \xcopy.exe
- OriginalFileName:
  - robocopy.exe
  - XCOPY.EXE
selection_pwsh:
  CommandLine|contains:
  - copy-item
  - ' copy '
  - 'cpi '
  - ' cp '
  Image|endswith:
  - \powershell.exe
  - \pwsh.exe
target:
  CommandLine|contains:
  - \System32
  - \SysWOW64
  - \WinSxS