Copy From Or To Admin Share Or Sysvol Folder

 1title: Copy From Or To Admin Share Or Sysvol Folder
 2id: 855bc8b5-2ae8-402e-a9ed-b889e6df1900
 3status: test
 4description: Detects a copy command or a copy utility execution to or from an Admin share or remote
 5references:
 6    - https://twitter.com/SBousseaden/status/1211636381086339073
 7    - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
 8    - https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html
 9    - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
10author: Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali
11date: 2019/12/30
12modified: 2023/11/15
13tags:
14    - attack.lateral_movement
15    - attack.collection
16    - attack.exfiltration
17    - attack.t1039
18    - attack.t1048
19    - attack.t1021.002
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection_target:
25        CommandLine|contains:
26            - '\\\\*$'
27            - '\Sysvol\'
28    selection_other_tools:
29        - Image|endswith:
30              - '\robocopy.exe'
31              - '\xcopy.exe'
32        - OriginalFileName:
33              - 'robocopy.exe'
34              - 'XCOPY.EXE'
35    selection_cmd_img:
36        - Image|endswith: '\cmd.exe'
37        - OriginalFileName: 'Cmd.Exe'
38    selection_cmd_cli:
39        CommandLine|contains: 'copy'
40    selection_pwsh_img:
41        - Image|contains:
42              - '\powershell.exe'
43              - '\pwsh.exe'
44        - OriginalFileName:
45              - 'PowerShell.EXE'
46              - 'pwsh.dll'
47    selection_pwsh_cli:
48        CommandLine|contains:
49            - 'copy-item'
50            - 'copy '
51            - 'cpi '
52            - ' cp '
53            - 'move '
54            - 'move-item'
55            - ' mi '
56            - ' mv '
57    condition: selection_target and (selection_other_tools or all of selection_cmd_* or all of selection_pwsh_*)
58falsepositives:
59    - Administrative scripts
60level: medium

References

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

• Kheirkhabarov24052017.pdf

  

  Sign in Loading…

  
  Read More

• Remote File Copy to a Hidden Share | Elastic Security Solution [8.13] | Elastic

  

  Remote File Copy to a Hidden Shareedit Identifies a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity. Rule type: eql Rule indices: log...

  
  Read More

• https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/

  
  Read More

Related rules

• Cisco Stage Data
• PUA - CSExec Default Named Pipe
• PUA - RemCom Default Named Pipe
• Compressed File Creation Via Tar.EXE
• Compressed File Extraction Via Tar.EXE