Remote file copy

rules/windows/process_creation/remote_copy.yml

@@ -0,0 +1,27 @@
+title: Remote File Copy
+id: c87972e1-4594-421f-a229-8811e90ab4f2
+status: experimental
+description: Detects a suspicious remote copy behavior
+references:
+    - https://attack.mitre.org/techniques/T1105/
+author: Ömer Günal
+date: 2020/06/18
+tags:
+    - attack.lateral_movement
+    - attack.command_and_control
+    - attack.t1105
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|contains:
+            - 'cmd /c certutil -urlcache -split -f * *'
+            - 'certutil -verifyctl -split -f *'
+            - 'C:\Windows\System32\bitsadmin.exe /transfer * /Priority HIGH * *'
+    condition: selection
+fields:
+    - CommandLine
+falsepositives:
+    - Administrative scripts
+level: high