title: Suspicious Copy From System Root
id: fff9d2b7-e11c-4a69-93d3-40ef66189767
status: experimental
description: Detects a suspicious copy command that copies a system program from System32 to another directory on disk - sometimes used to use LOLBINs like certutil or desktopimgdownldr to a different location with a different name
author: Florian Roth
date: 2020/07/03
references:
    - Internal Research
logsource:
    category: process_creation
    product: windows
tags:
    - attack.defense_evasion
detection:
    selection:
        CommandLine|contains:
            - 'cmd.exe /c copy %SystemRoot%'
            - 'cmd.exe /c copy C:\Windows'
    condition: selection
fields:
    - CommandLine
    - ParentCommandLine
falsepositives:
    - False positives depend on scripts and administrative tools used in the monitored environment
level: high