Potentially Suspicious Ping/Copy Command Combination

calendar Mar 11, 2024 · attack.defense_evasion attack.t1070.004  ·
Share on: linkedin copy

Detects uncommon and potentially suspicious one-liner command containing both "ping" and "copy" at the same time, which is usually used by malware.

Sigma rule (View on GitHub)

 1title: Potentially Suspicious Ping/Copy Command Combination
 2id: ded2b07a-d12f-4284-9b76-653e37b6c8b0
 3status: experimental
 4description: |
 5        Detects uncommon and potentially suspicious one-liner command containing both "ping" and "copy" at the same time, which is usually used by malware.
 6references:
 7    - Internal Research
 8author: X__Junior (Nextron Systems)
 9date: 2023/07/18
10modified: 2024/03/06
11tags:
12    - attack.defense_evasion
13    - attack.t1070.004
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    # Note: In the case of sysmon and similar logging utilities, see this discussion https://github.com/SigmaHQ/sigma/discussions/4277
19    selection_cmd:
20        - Image|endswith: '\cmd.exe'
21        - OriginalFileName: 'Cmd.Exe'
22    selection_action:
23        CommandLine|contains|all:
24            - 'ping' # Covers "ping" and "ping.exe"
25            - 'copy '
26    selection_cli_1:
27        CommandLine|contains|windash: ' -n ' # Count
28    selection_cli_2:
29        CommandLine|contains|windash: ' -y '
30    condition: all of selection_*
31falsepositives:
32    - Unknown
33level: medium

References

Related rules

to-top