Copy From Or To Admin Share Or Sysvol Folder

 1title: Copy From Or To Admin Share Or Sysvol Folder
 2id: 855bc8b5-2ae8-402e-a9ed-b889e6df1900
 3status: test
 4description: Detects a copy command or a copy utility execution to or from an Admin share or remote
 5references:
 6    - https://twitter.com/SBousseaden/status/1211636381086339073
 7    - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
 8    - https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html
 9    - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
10author: Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali
11date: 2019-12-30
12modified: 2025-10-22
13tags:
14    - attack.lateral-movement
15    - attack.collection
16    - attack.exfiltration
17    - attack.t1039
18    - attack.t1048
19    - attack.t1021.002
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection_target:
25        CommandLine|contains:
26            - '\\\\*\\*$' # example \\SVR_NAME\ADMIN$
27            - '\Sysvol\'
28    selection_other_tools:
29        - Image|endswith:
30              - '\robocopy.exe'
31              - '\xcopy.exe'
32        - OriginalFileName:
33              - 'robocopy.exe'
34              - 'XCOPY.EXE'
35    selection_cmd_img:
36        - Image|endswith: '\cmd.exe'
37        - OriginalFileName: 'Cmd.Exe'
38    selection_cmd_cli:
39        CommandLine|contains: 'copy'
40    selection_pwsh_img:
41        - Image|contains:
42              - '\powershell_ise.exe'
43              - '\powershell.exe'
44              - '\pwsh.exe'
45        - OriginalFileName:
46              - 'powershell_ise.exe'
47              - 'PowerShell.EXE'
48              - 'pwsh.dll'
49    selection_pwsh_cli:
50        CommandLine|contains:
51            - 'copy-item'
52            - 'copy '
53            - 'cpi '
54            - ' cp '
55            - 'move '
56            - ' move-item'
57            - ' mi '
58            - ' mv '
59    condition: selection_target and (selection_other_tools or all of selection_cmd_* or all of selection_pwsh_*)
60falsepositives:
61    - Administrative scripts
62level: medium

References

• 

  Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.

  
  Read More

• Kheirkhabarov24052017.pdf

  

  Loading… Sign in

  
  Read More

• Remote File Copy to a Hidden Share | Prebuilt detection rules reference

  

  Identifies a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity. Rule type: eql Rule indices:...

  
  Read More

• Defenders beware: A case for post-ransomware investigations | Microsoft Security Blog

  

  The Microsoft Detection and Response Team (DART) details a recent ransomware incident in which the attacker used a collection of commodity tools and techniques, such as using living-off-the-land binaries, to launch their malicious code.

  
  Read More

Related rules

• Cisco Stage Data
• GitHub Repository Pages Site Changed to Public
• PUA - Restic Backup Tool Execution
• APT31 Judgement Panda Activity
• CobaltStrike Service Installations - Security