Suspicious Copy From or To System Directory

Detects a suspicious copy operation that tries to copy a program from system (System32, SysWOW64, WinSxS) directories to another on disk. Often used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations.

Sigma rule (View on GitHub)

 1title: Suspicious Copy From or To System Directory
 2id: fff9d2b7-e11c-4a69-93d3-40ef66189767
 3related:
 4    - id: 855bc8b5-2ae8-402e-a9ed-b889e6df1900
 5      type: derived
 6status: test
 7description: |
 8    Detects a suspicious copy operation that tries to copy a program from system (System32, SysWOW64, WinSxS) directories to another on disk.
 9    Often used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations.    
10references:
11    - https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120
12    - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html
13    - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/
14author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems)
15date: 2020-07-03
16modified: 2025-10-07
17tags:
18    - attack.defense-evasion
19    - attack.t1036.003
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection_img_cmd:
25        Image|endswith: '\cmd.exe'
26        CommandLine|contains: 'copy '
27    selection_img_pwsh:
28        Image|endswith:
29            - '\powershell_ise.exe'
30            - '\powershell.exe'
31            - '\pwsh.exe'
32        CommandLine|contains:
33            - 'copy-item'
34            - ' copy '
35            - 'cpi '
36            - ' cp '
37    selection_img_other:
38        - Image|endswith:
39              - '\robocopy.exe'
40              - '\xcopy.exe'
41        - OriginalFileName:
42              - 'robocopy.exe'
43              - 'XCOPY.EXE'
44    selection_target:
45        CommandLine|contains:
46            - '\System32'
47            - '\SysWOW64'
48            - '\WinSxS'
49    filter_optional_avira:
50        Image|endswith: '\cmd.exe'
51        CommandLine|contains|all:
52            - '/c copy'
53            - '\Temp\'
54            - '\avira_system_speedup.exe'
55        CommandLine|contains:
56            - 'C:\Program Files\Avira\'
57            - 'C:\Program Files (x86)\Avira\'
58    condition: 1 of selection_img_* and selection_target and not 1 of filter_optional_*
59falsepositives:
60    - Depend on scripts and administrative tools used in the monitored environment (For example an admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/)
61    - When cmd.exe and xcopy.exe are called directly #  C:\Windows\System32\cmd.exe /c copy file1 file2
62    - When the command contains the keywords but not in the correct order
63level: medium

References

Related rules

to-top