Suspicious Copy From or To System Directory
Detects a suspicious copy operation that tries to copy a program from system (System32, SysWOW64, WinSxS) directories to another on disk. Often used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations.
Sigma rule (View on GitHub)
1title: Suspicious Copy From or To System Directory
2id: fff9d2b7-e11c-4a69-93d3-40ef66189767
3related:
4 - id: 855bc8b5-2ae8-402e-a9ed-b889e6df1900
5 type: derived
6status: test
7description: |
8 Detects a suspicious copy operation that tries to copy a program from system (System32, SysWOW64, WinSxS) directories to another on disk.
9 Often used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations.
10references:
11 - https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120
12 - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html
13 - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/
14author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems)
15date: 2020-07-03
16modified: 2025-11-27
17tags:
18 - attack.defense-evasion
19 - attack.t1036.003
20logsource:
21 category: process_creation
22 product: windows
23detection:
24 selection_img_cmd:
25 Image|endswith: '\cmd.exe'
26 CommandLine|contains: 'copy '
27 selection_img_pwsh:
28 Image|endswith:
29 - '\powershell.exe'
30 - '\pwsh.exe'
31 CommandLine|contains:
32 - 'copy-item'
33 - ' copy '
34 - 'cpi '
35 - ' cp '
36 selection_img_other:
37 - Image|endswith:
38 - '\robocopy.exe'
39 - '\xcopy.exe'
40 - OriginalFileName:
41 - 'robocopy.exe'
42 - 'XCOPY.EXE'
43 selection_target:
44 CommandLine|re|i: \s['"]?C:\\Windows\\(System32|SysWOW64|WinSxS)
45 filter_optional_avira:
46 Image|endswith: '\cmd.exe'
47 CommandLine|contains|all:
48 - '/c copy'
49 - '\Temp\'
50 - '\avira_system_speedup.exe'
51 CommandLine|contains:
52 - 'C:\Program Files\Avira\'
53 - 'C:\Program Files (x86)\Avira\'
54 condition: 1 of selection_img_* and selection_target and not 1 of filter_optional_*
55falsepositives:
56 - Depend on scripts and administrative tools used in the monitored environment (For example an admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/)
57 - When cmd.exe and xcopy.exe are called directly # C:\Windows\System32\cmd.exe /c copy file1 file2
58 - When the command contains the keywords but not in the correct order
59level: medium
References
-
Submit malware for free analysis with Falcon Sandbox and Hybrid Analysis technology. Hybrid Analysis develops and licenses analysis tools to fight malware.
Read More -
As part of recently observed attacks distributing SANNY malware, the threat actor has made significant changes to their usual malware delivery method.
Read More -
We’ve previously reported on a Nokoyawa ransomware case in which the initial access was via an Excel macro and IcedID malware. This case, which also ended in Nokoyawa Ransomware, involved the…
Read More
Related rules
- LOL-Binary Copied From System Directory
- Renamed Schtasks Execution
- Potential Defense Evasion Via Binary Rename
- Potential Defense Evasion Via Rename Of Highly Relevant Binaries
- Renamed Msdt.EXE Execution