Copy from Admin Share

 1title: Copy from Admin Share
 2id: 855bc8b5-2ae8-402e-a9ed-b889e6df1900
 3status: test
 4description: Detects a suspicious copy command to or from an Admin share or remote
 5references:
 6    - https://twitter.com/SBousseaden/status/1211636381086339073
 7    - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
 8    - https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html
 9    - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
10author: Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali
11date: 2019/12/30
12modified: 2023/02/02
13tags:
14    - attack.lateral_movement
15    - attack.collection
16    - attack.exfiltration
17    - attack.t1039
18    - attack.t1048
19    - attack.t1021.002
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection_other_tools:
25        - Image|endswith:
26            - '\robocopy.exe'
27            - '\xcopy.exe'
28        - OriginalFileName:
29            - 'robocopy.exe'
30            - 'XCOPY.EXE'
31    selection_cmd_img:
32        - Image|endswith: '\cmd.exe'
33        - OriginalFileName: 'Cmd.Exe'
34    selection_cmd_cli:
35        CommandLine|contains: 'copy'
36    selection_pwsh_img:
37        - Image|contains:
38            - '\powershell.exe'
39            - '\pwsh.exe'
40        - OriginalFileName:
41            - 'PowerShell.EXE'
42            - 'pwsh.dll'
43    selection_pwsh_cli:
44        CommandLine|contains:
45            - 'copy-item'
46            - 'copy '
47            - 'cpi '
48            - ' cp '
49            - 'move '
50            - 'move-item'
51            - ' mi '
52            - ' mv '
53    selection_target:
54        - CommandLine|contains|all:
55            - '\\\\'
56            - '$'
57        - CommandLine|contains: '\Sysvol\'
58    condition: selection_target and (selection_other_tools or all of selection_cmd_* or all of selection_pwsh_*)
59falsepositives:
60    - Administrative scripts
61level: high

References

• https://twitter.com/SBousseaden/status/1211636381086339073

  
  Read More

• Kheirkhabarov24052017.pdf

  Sign in

  
  Read More

• Remote File Copy to a Hidden Share | Elastic Security Solution [8.10] | Elastic

  

  Remote File Copy to a Hidden Shareedit Identifies a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity. Rule type: eql Rule indices: log...

  
  Read More

• Defenders beware: A case for post-ransomware investigations | Microsoft Security Blog

  

  The Microsoft Detection and Response Team (DART) details a recent ransomware incident in which the attacker used a collection of commodity tools and techniques, such as using living-off-the-land binaries, to launch their malicious code.

  
  Read More

Related rules

• Cisco Stage Data
• Password Provided In Command Line Of Net.EXE
• Suspicious Redirection to Local Admin Share
• CobaltStrike Service Installations in Registry
• CSExec Default Named Pipe