Suspicious Copy From or To System Directory
Detects a suspicious copy operation that tries to copy a program from system (System32, SysWOW64, WinSxS) directories to another on disk. Often used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations.
Sigma rule (View on GitHub)
1title: Suspicious Copy From or To System Directory
2id: fff9d2b7-e11c-4a69-93d3-40ef66189767
3related:
4 - id: 855bc8b5-2ae8-402e-a9ed-b889e6df1900
5 type: derived
6status: test
7description: |
8 Detects a suspicious copy operation that tries to copy a program from system (System32, SysWOW64, WinSxS) directories to another on disk.
9 Often used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations.
10references:
11 - https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120
12 - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html
13 - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/
14author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems)
15date: 2020-07-03
16modified: 2025-10-07
17tags:
18 - attack.defense-evasion
19 - attack.t1036.003
20logsource:
21 category: process_creation
22 product: windows
23detection:
24 selection_img_cmd:
25 Image|endswith: '\cmd.exe'
26 CommandLine|contains: 'copy '
27 selection_img_pwsh:
28 Image|endswith:
29 - '\powershell_ise.exe'
30 - '\powershell.exe'
31 - '\pwsh.exe'
32 CommandLine|contains:
33 - 'copy-item'
34 - ' copy '
35 - 'cpi '
36 - ' cp '
37 selection_img_other:
38 - Image|endswith:
39 - '\robocopy.exe'
40 - '\xcopy.exe'
41 - OriginalFileName:
42 - 'robocopy.exe'
43 - 'XCOPY.EXE'
44 selection_target:
45 CommandLine|contains:
46 - '\System32'
47 - '\SysWOW64'
48 - '\WinSxS'
49 filter_optional_avira:
50 Image|endswith: '\cmd.exe'
51 CommandLine|contains|all:
52 - '/c copy'
53 - '\Temp\'
54 - '\avira_system_speedup.exe'
55 CommandLine|contains:
56 - 'C:\Program Files\Avira\'
57 - 'C:\Program Files (x86)\Avira\'
58 condition: 1 of selection_img_* and selection_target and not 1 of filter_optional_*
59falsepositives:
60 - Depend on scripts and administrative tools used in the monitored environment (For example an admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/)
61 - When cmd.exe and xcopy.exe are called directly # C:\Windows\System32\cmd.exe /c copy file1 file2
62 - When the command contains the keywords but not in the correct order
63level: medium
References
Related rules
- Potential PendingFileRenameOperations Tampering
- Renamed ProcDump Execution
- Potential WerFault ReflectDebugger Registry Value Abuse
- Potential Defense Evasion Via Binary Rename
- Suspicious Download From File-Sharing Website Via Bitsadmin