Copy itself to suspicious location via type command

 1title: Copy itself to suspicious location via type command 
 2status: experimental
 3description: Copy itself to suspicious location via type command
 4author: Joe Security
 5date: 2020-02-13
 6id: 200052
 7threatname:
 8behaviorgroup: 10
 9classification: 1
10mitreattack:
11
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    selection:
17        CommandLine:
18            - '*cmd*type*>*\AppData*'
19    condition: selection
20level: critical