Remote File Copy to a Hidden Share
Identifies a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/04"
3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
4maturity = "production"
5updated_date = "2025/01/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging
13activity.
14"""
15from = "now-9m"
16index = [
17 "logs-endpoint.events.process-*",
18 "winlogbeat-*",
19 "logs-windows.forwarded*",
20 "logs-windows.sysmon_operational-*",
21 "endgame-*",
22 "logs-system.security*",
23 "logs-m365_defender.event-*",
24 "logs-sentinel_one_cloud_funnel.*",
25 "logs-crowdstrike.fdr*",
26]
27language = "eql"
28license = "Elastic License v2"
29name = "Remote File Copy to a Hidden Share"
30references = ["https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language"]
31risk_score = 47
32rule_id = "fa01341d-6662-426b-9d0c-6d81e33c8a9d"
33severity = "medium"
34tags = [
35 "Domain: Endpoint",
36 "OS: Windows",
37 "Use Case: Threat Detection",
38 "Tactic: Lateral Movement",
39 "Data Source: Elastic Endgame",
40 "Data Source: Elastic Defend",
41 "Data Source: System",
42 "Data Source: Microsoft Defender for Endpoint",
43 "Data Source: Sysmon",
44 "Data Source: SentinelOne",
45 "Data Source: Crowdstrike",
46 "Resources: Investigation Guide",
47]
48timestamp_override = "event.ingested"
49type = "eql"
50
51query = '''
52process where host.os.type == "windows" and event.type == "start" and
53 (
54 process.name : ("cmd.exe", "powershell.exe", "xcopy.exe") and
55 process.args : ("copy*", "move*", "cp", "mv") or
56 process.name : "robocopy.exe"
57 ) and process.args : "*\\\\*\\*$*"
58'''
59note = """## Triage and analysis
60
61> **Disclaimer**:
62> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
63
64### Investigating Remote File Copy to a Hidden Share
65
66In Windows environments, hidden network shares are often used for legitimate administrative tasks, allowing file transfers without user visibility. However, adversaries can exploit these shares for lateral movement or data exfiltration. The detection rule identifies suspicious file copy attempts using common command-line tools like cmd.exe and powershell.exe, focusing on hidden share patterns to flag potential threats.
67
68### Possible investigation steps
69
70- Review the process details to identify the specific command-line tool used (cmd.exe, powershell.exe, xcopy.exe, or robocopy.exe) and examine the arguments to understand the nature of the file copy operation.
71- Investigate the source and destination of the file copy by analyzing the network share path in the process arguments, focusing on the hidden share pattern (e.g., \\\\*\\\\*$).
72- Check the user account associated with the process to determine if it has legitimate access to the hidden share and assess if the activity aligns with the user's typical behavior.
73- Correlate the event with other logs or alerts from the same host or user to identify any additional suspicious activities, such as unusual login attempts or privilege escalation.
74- Examine the historical activity of the involved host to identify any previous instances of similar file copy attempts or other indicators of lateral movement.
75- Consult threat intelligence sources to determine if the detected pattern or tools are associated with known adversary techniques or campaigns.
76
77### False positive analysis
78
79- Administrative tasks using hidden shares can trigger alerts. Regularly review and document legitimate administrative activities that involve file transfers to hidden shares.
80- Backup operations often use hidden shares for data storage. Identify and exclude backup processes by specifying known backup software and their typical command-line arguments.
81- Software deployment tools may utilize hidden shares for distributing updates. Create exceptions for recognized deployment tools by listing their process names and associated arguments.
82- IT maintenance scripts might copy files to hidden shares for system updates. Maintain a list of approved maintenance scripts and exclude them from triggering alerts.
83- User-initiated file transfers for legitimate purposes can be mistaken for threats. Educate users on proper file transfer methods and monitor for unusual patterns that deviate from documented procedures.
84
85### Response and remediation
86
87- Isolate the affected system from the network to prevent further lateral movement or data exfiltration.
88- Terminate any suspicious processes identified in the alert, such as cmd.exe, powershell.exe, xcopy.exe, or robocopy.exe, that are involved in the file copy attempt.
89- Conduct a forensic analysis of the affected system to identify any additional indicators of compromise or unauthorized access.
90- Change credentials for any accounts that were used in the suspicious activity to prevent further unauthorized access.
91- Review and restrict permissions on network shares, especially hidden shares, to ensure only authorized users have access.
92- Monitor network traffic for any further suspicious activity related to hidden shares and lateral movement attempts.
93- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised."""
94
95
96[[rule.threat]]
97framework = "MITRE ATT&CK"
98[[rule.threat.technique]]
99id = "T1021"
100name = "Remote Services"
101reference = "https://attack.mitre.org/techniques/T1021/"
102[[rule.threat.technique.subtechnique]]
103id = "T1021.002"
104name = "SMB/Windows Admin Shares"
105reference = "https://attack.mitre.org/techniques/T1021/002/"
106
107
108
109[rule.threat.tactic]
110id = "TA0008"
111name = "Lateral Movement"
112reference = "https://attack.mitre.org/tactics/TA0008/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Remote File Copy to a Hidden Share
In Windows environments, hidden network shares are often used for legitimate administrative tasks, allowing file transfers without user visibility. However, adversaries can exploit these shares for lateral movement or data exfiltration. The detection rule identifies suspicious file copy attempts using common command-line tools like cmd.exe and powershell.exe, focusing on hidden share patterns to flag potential threats.
Possible investigation steps
- Review the process details to identify the specific command-line tool used (cmd.exe, powershell.exe, xcopy.exe, or robocopy.exe) and examine the arguments to understand the nature of the file copy operation.
- Investigate the source and destination of the file copy by analyzing the network share path in the process arguments, focusing on the hidden share pattern (e.g., \\$).
- Check the user account associated with the process to determine if it has legitimate access to the hidden share and assess if the activity aligns with the user's typical behavior.
- Correlate the event with other logs or alerts from the same host or user to identify any additional suspicious activities, such as unusual login attempts or privilege escalation.
- Examine the historical activity of the involved host to identify any previous instances of similar file copy attempts or other indicators of lateral movement.
- Consult threat intelligence sources to determine if the detected pattern or tools are associated with known adversary techniques or campaigns.
False positive analysis
- Administrative tasks using hidden shares can trigger alerts. Regularly review and document legitimate administrative activities that involve file transfers to hidden shares.
- Backup operations often use hidden shares for data storage. Identify and exclude backup processes by specifying known backup software and their typical command-line arguments.
- Software deployment tools may utilize hidden shares for distributing updates. Create exceptions for recognized deployment tools by listing their process names and associated arguments.
- IT maintenance scripts might copy files to hidden shares for system updates. Maintain a list of approved maintenance scripts and exclude them from triggering alerts.
- User-initiated file transfers for legitimate purposes can be mistaken for threats. Educate users on proper file transfer methods and monitor for unusual patterns that deviate from documented procedures.
Response and remediation
- Isolate the affected system from the network to prevent further lateral movement or data exfiltration.
- Terminate any suspicious processes identified in the alert, such as cmd.exe, powershell.exe, xcopy.exe, or robocopy.exe, that are involved in the file copy attempt.
- Conduct a forensic analysis of the affected system to identify any additional indicators of compromise or unauthorized access.
- Change credentials for any accounts that were used in the suspicious activity to prevent further unauthorized access.
- Review and restrict permissions on network shares, especially hidden shares, to ensure only authorized users have access.
- Monitor network traffic for any further suspicious activity related to hidden shares and lateral movement attempts.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised.
References
Related rules
- Execution via TSClient Mountpoint
- Microsoft Exchange Server UM Spawning Suspicious Processes
- Mounting Hidden or WebDav Remote Shares
- Potential WSUS Abuse for Lateral Movement
- Unusual Child Process of dns.exe