Suspicious Copy From or To System Directory

 1title: Suspicious Copy From or To System Directory
 2id: fff9d2b7-e11c-4a69-93d3-40ef66189767
 3related:
 4    - id: 855bc8b5-2ae8-402e-a9ed-b889e6df1900
 5      type: derived
 6status: test
 7description: |
 8    Detects a suspicious copy operation that tries to copy a program from system (System32, SysWOW64, WinSxS) directories to another on disk.
 9    Often used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations.    
10references:
11    - https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120
12    - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html
13    - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/
14author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems)
15date: 2020/07/03
16modified: 2023/08/29
17tags:
18    - attack.defense_evasion
19    - attack.t1036.003
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection_cmd:
25        Image|endswith: '\cmd.exe'
26        CommandLine|contains: 'copy '
27    selection_pwsh:
28        Image|endswith:
29            - '\powershell.exe'
30            - '\pwsh.exe'
31        CommandLine|contains:
32            - 'copy-item'
33            - ' copy '
34            - 'cpi '
35            - ' cp '
36    selection_other:
37        - Image|endswith:
38              - '\robocopy.exe'
39              - '\xcopy.exe'
40        - OriginalFileName:
41              - 'robocopy.exe'
42              - 'XCOPY.EXE'
43    target:
44        CommandLine|contains:
45            - '\System32'
46            - '\SysWOW64'
47            - '\WinSxS'
48    condition: 1 of selection_* and target
49falsepositives:
50    - Depend on scripts and administrative tools used in the monitored environment (For example an admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/)
51    - When cmd.exe and xcopy.exe are called directly #  C:\Windows\System32\cmd.exe /c copy file1 file2
52    - When the command contains the keywords but not in the correct order
53level: medium

References

• Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for 'geopol18.doc'

  Submit malware for free analysis with Falcon Sandbox and Hybrid Analysis technology. Hybrid Analysis develops and licenses analysis tools to fight malware.

  
  Read More

• SANNY Malware Delivery Method Updated in Recently Observed Attacks « SANNY Malware Delivery Method Updated in Recently Observed Attacks

  

  As part of recently observed attacks distributing SANNY malware, the threat actor has made significant changes to their usual malware delivery method.

  
  Read More

• HTML Smuggling Leads to Domain Wide Ransomware - The DFIR Report

  

  We’ve previously reported on a Nokoyawa ransomware case in which the initial access was via an Excel macro and IcedID malware. This case, which also ended in Nokoyawa Ransomware, involved … Read More

  
  Read More

Related rules

• LOL-Binary Copied From System Directory
• Potential Defense Evasion Via Rename Of Highly Relevant Binaries
• Windows Processes Suspicious Parent Directory
• Masquerading as Linux Crond Process
• Potential Defense Evasion Via Binary Rename