hayabusa/rules/Sigma/win_susp_copy_lateral_movement.yml

title: Copy from Admin Share
author: Florian Roth, oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford
    @svch0st
date: 2019/12/30
description: Detects a suspicious copy command to or from an Admin share
detection:
    SELECTION_1:
        EventID: 1
    SELECTION_10:
        CommandLine: '* cp *'
    SELECTION_11:
        CommandLine: '*\\\\\*'
    SELECTION_12:
        CommandLine: '*$*'
    SELECTION_2:
        Image: '*\robocopy.exe'
    SELECTION_3:
        Image: '*\xcopy.exe'
    SELECTION_4:
        Image: '*\cmd.exe'
    SELECTION_5:
        CommandLine: '*copy*'
    SELECTION_6:
        Image: '*\powershell*'
    SELECTION_7:
        CommandLine: '*copy-item*'
    SELECTION_8:
        CommandLine: '*copy*'
    SELECTION_9:
        CommandLine: '*cpi *'
    condition: (SELECTION_1 and (((SELECTION_2 or SELECTION_3) or (SELECTION_4 and
        SELECTION_5)) or (SELECTION_6 and (SELECTION_7 or SELECTION_8 or SELECTION_9
        or SELECTION_10))) and (SELECTION_11 and SELECTION_12))
falsepositives:
- Administrative scripts
fields:
- CommandLine
- ParentCommandLine
id: 855bc8b5-2ae8-402e-a9ed-b889e6df1900
level: high
logsource:
    category: process_creation
    product: windows
modified: 2020/11/28
references:
- https://twitter.com/SBousseaden/status/1211636381086339073
- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
status: experimental
tags:
- attack.lateral_movement
- attack.collection
- attack.exfiltration
- attack.t1039
- attack.t1105
- attack.t1048
- attack.t1021.002
yml_filename: win_susp_copy_lateral_movement.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation