title: Suspicious Copy From or To System32 id: fff9d2b7-e11c-4a69-93d3-40ef66189767 status: experimental description: Detects a suspicious copy command that copies a system program from System32 to another directory on disk - sometimes used to use LOLBINs like certutil or desktopimgdownldr to a different location with a different name author: Florian Roth, Markus Neis date: 2020/07/03 modified: 2020/09/05 references: - https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120 logsource: category: process_creation product: windows tags: - attack.defense_evasion - attack.t1036.003 detection: selection: CommandLine|contains: - ' /c copy *\System32\' - 'xcopy*\System32\' condition: selection fields: - CommandLine - ParentCommandLine falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment - Admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/ level: medium