rule: copy from admin share - lateral movement

rules/windows/process_creation/win_susp_copy_lateral_movement.yml

@@ -0,0 +1,27 @@
+title: Copy from Admin Share
+id: 855bc8b5-2ae8-402e-a9ed-b889e6df1900
+status: experimental
+description: Detects a suspicious copy command from a remote C$ or ADMIN$ share
+references: 
+  - https://twitter.com/SBousseaden/status/1211636381086339073
+author: Florian Roth
+date: 2019/12/30
+tags:
+    - attack.lateral_movement
+    - attack.t1077
+    - attack.t1105
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|contains: 
+          - 'copy *\c$'
+          - 'copy *\ADMIN$'
+    condition: selection
+fields:
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - Administrative scripts
+level: high