Update win_susp_copy_lateral_movement.yml

rules/windows/process_creation/win_susp_copy_lateral_movement.yml

@@ -1,30 +1,46 @@
 title: Copy from Admin Share
 id: 855bc8b5-2ae8-402e-a9ed-b889e6df1900
 status: experimental
-description: Detects a suspicious copy command from a remote C$ or ADMIN$ share
+description: Detects a suspicious copy command to or from an Admin share
 references:
     - https://twitter.com/SBousseaden/status/1211636381086339073
-author: Florian Roth
+    - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
+author: 'Florian Roth, oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st'
 date: 2019/12/30
-modified: 2020/09/05
+modified: 2020/10/05
 tags:
     - attack.lateral_movement
+    - attack.collection
+    - attack.exfiltration
+    - attack.t1039
+    - attack.t1105      # an old one
+    - attack.t1048
     - attack.t1021.002
-    - attack.command_and_control 
-    - attack.t1105
-    - attack.s0106
-    - attack.t1077      # an old one
 logsource:
     category: process_creation
     product: windows
 detection:
-    selection:
+    selection1:
+        Image|endswith:
+            - '\robocopy.exe'
+            - '\xcopy.exe'
+    selection2:
+        Image|endswith:
+            - '\cmd.exe'
         CommandLine|contains:
             - 'copy'
+    selection3:
+        Image|contains:
+            - '\powershell'
         CommandLine|contains:
-            - '\c$'
-            - '\ADMIN$'
-    condition: selection
+            - 'copy-item'
+            - 'copy'
+            - 'cpi '
+            - ' cp '
+    selection4:
+        CommandLine|contains:
+            - '\\\\*\*$*'               
+    condition: (selection1 or selection2 or selection3) and selection4
 fields:
     - CommandLine
     - ParentCommandLine