Remote File Copy to a Hidden Share

  1[metadata]
  2creation_date = "2020/11/04"
  3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging
 11activity.
 12"""
 13from = "now-9m"
 14index = [
 15    "endgame-*",
 16    "logs-crowdstrike.fdr*",
 17    "logs-endpoint.events.process-*",
 18    "logs-m365_defender.event-*",
 19    "logs-sentinel_one_cloud_funnel.*",
 20    "logs-system.security*",
 21    "logs-windows.forwarded*",
 22    "logs-windows.sysmon_operational-*",
 23    "winlogbeat-*",
 24]
 25language = "eql"
 26license = "Elastic License v2"
 27name = "Remote File Copy to a Hidden Share"
 28note = """## Triage and analysis
 29
 30> **Disclaimer**:
 31> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 32
 33### Investigating Remote File Copy to a Hidden Share
 34
 35In Windows environments, hidden network shares are often used for legitimate administrative tasks, allowing file transfers without user visibility. However, adversaries can exploit these shares for lateral movement or data exfiltration. The detection rule identifies suspicious file copy attempts using common command-line tools like cmd.exe and powershell.exe, focusing on hidden share patterns to flag potential threats.
 36
 37### Possible investigation steps
 38
 39- Review the process details to identify the specific command-line tool used (cmd.exe, powershell.exe, xcopy.exe, or robocopy.exe) and examine the arguments to understand the nature of the file copy operation.
 40- Investigate the source and destination of the file copy by analyzing the network share path in the process arguments, focusing on the hidden share pattern (e.g., \\\\*\\\\*$).
 41- Check the user account associated with the process to determine if it has legitimate access to the hidden share and assess if the activity aligns with the user's typical behavior.
 42- Correlate the event with other logs or alerts from the same host or user to identify any additional suspicious activities, such as unusual login attempts or privilege escalation.
 43- Examine the historical activity of the involved host to identify any previous instances of similar file copy attempts or other indicators of lateral movement.
 44- Consult threat intelligence sources to determine if the detected pattern or tools are associated with known adversary techniques or campaigns.
 45
 46### False positive analysis
 47
 48- Administrative tasks using hidden shares can trigger alerts. Regularly review and document legitimate administrative activities that involve file transfers to hidden shares.
 49- Backup operations often use hidden shares for data storage. Identify and exclude backup processes by specifying known backup software and their typical command-line arguments.
 50- Software deployment tools may utilize hidden shares for distributing updates. Create exceptions for recognized deployment tools by listing their process names and associated arguments.
 51- IT maintenance scripts might copy files to hidden shares for system updates. Maintain a list of approved maintenance scripts and exclude them from triggering alerts.
 52- User-initiated file transfers for legitimate purposes can be mistaken for threats. Educate users on proper file transfer methods and monitor for unusual patterns that deviate from documented procedures.
 53
 54### Response and remediation
 55
 56- Isolate the affected system from the network to prevent further lateral movement or data exfiltration.
 57- Terminate any suspicious processes identified in the alert, such as cmd.exe, powershell.exe, xcopy.exe, or robocopy.exe, that are involved in the file copy attempt.
 58- Conduct a forensic analysis of the affected system to identify any additional indicators of compromise or unauthorized access.
 59- Change credentials for any accounts that were used in the suspicious activity to prevent further unauthorized access.
 60- Review and restrict permissions on network shares, especially hidden shares, to ensure only authorized users have access.
 61- Monitor network traffic for any further suspicious activity related to hidden shares and lateral movement attempts.
 62- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised."""
 63references = ["https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language"]
 64risk_score = 47
 65rule_id = "fa01341d-6662-426b-9d0c-6d81e33c8a9d"
 66severity = "medium"
 67tags = [
 68    "Domain: Endpoint",
 69    "OS: Windows",
 70    "Use Case: Threat Detection",
 71    "Tactic: Lateral Movement",
 72    "Data Source: Elastic Endgame",
 73    "Data Source: Elastic Defend",
 74    "Data Source: Windows Security Event Logs",
 75    "Data Source: Microsoft Defender for Endpoint",
 76    "Data Source: Sysmon",
 77    "Data Source: SentinelOne",
 78    "Data Source: Crowdstrike",
 79    "Resources: Investigation Guide",
 80]
 81timestamp_override = "event.ingested"
 82type = "eql"
 83
 84query = '''
 85process where host.os.type == "windows" and event.type == "start" and
 86  process.name : ("cmd.exe", "powershell.exe", "xcopy.exe", "pwsh.exe", "powershell_ise.exe") and 
 87  process.command_line : "*\\\\*\\*$*" and process.command_line : ("*copy*", "*move*", "* cp *", "* mv *")
 88'''
 89
 90
 91[[rule.threat]]
 92framework = "MITRE ATT&CK"
 93[[rule.threat.technique]]
 94id = "T1021"
 95name = "Remote Services"
 96reference = "https://attack.mitre.org/techniques/T1021/"
 97[[rule.threat.technique.subtechnique]]
 98id = "T1021.002"
 99name = "SMB/Windows Admin Shares"
100reference = "https://attack.mitre.org/techniques/T1021/002/"
101
102
103
104[rule.threat.tactic]
105id = "TA0008"
106name = "Lateral Movement"
107reference = "https://attack.mitre.org/tactics/TA0008/"