diff --git a/rules/windows/process_creation/win_susp_copy_lateral_movement.yml b/rules/windows/process_creation/win_susp_copy_lateral_movement.yml index 53841c573..77d4ab783 100644 --- a/rules/windows/process_creation/win_susp_copy_lateral_movement.yml +++ b/rules/windows/process_creation/win_susp_copy_lateral_movement.yml @@ -1,31 +1,48 @@ title: Copy from Admin Share id: 855bc8b5-2ae8-402e-a9ed-b889e6df1900 status: experimental -description: Detects a suspicious copy command from a remote C$ or ADMIN$ share +description: Detects a suspicious copy command to or from an Admin share references: - https://twitter.com/SBousseaden/status/1211636381086339073 -author: Florian Roth + - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view +author: Florian Roth, Teymur Kheirkhabarov '@HeirhabarovT', Zach '@svch0st' date: 2019/12/30 -modified: 2020/09/05 +modified: 2020/10/05 tags: - attack.lateral_movement - - attack.t1021.002 - - attack.command_and_control - - attack.t1105 - - attack.s0106 - - attack.t1077 # an old one + - attack.collection + - attack.exfiltration + - attack.t1039 + - attack.t1105 # an old one + - attack.t1048 logsource: category: process_creation product: windows detection: - selection: + selection1: + Image|endswith: + - '\robocopy.exe' + - '\xcopy.exe' + selection2: + Image|endswith: + - '\cmd.exe' CommandLine|contains: - - 'copy *\c$' - - 'copy *\ADMIN$' - condition: selection + - 'copy' + selection4: + Image|contains: + - '\powershell' + CommandLine|contains: + - 'copy-item' + - 'copy' + - 'cpi ' + - ' cp ' + selection5: + CommandLine|contains: + - '\\\\*\*$*' + condition: (selection1 or selection2 or selection3 or selection4) and selection5 fields: - CommandLine - ParentCommandLine falsepositives: - Administrative scripts -level: high +level: medium