mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 09:48:58 +00:00
48 lines
1.3 KiB
YAML
48 lines
1.3 KiB
YAML
title: Copy from Admin Share
|
|
id: 855bc8b5-2ae8-402e-a9ed-b889e6df1900
|
|
status: experimental
|
|
description: Detects a suspicious copy command to or from an Admin share
|
|
references:
|
|
- https://twitter.com/SBousseaden/status/1211636381086339073
|
|
- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
|
|
author: 'Florian Roth, oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st'
|
|
date: 2019/12/30
|
|
modified: 2020/11/28
|
|
tags:
|
|
- attack.lateral_movement
|
|
- attack.collection
|
|
- attack.exfiltration
|
|
- attack.t1039
|
|
- attack.t1105 # an old one
|
|
- attack.t1048
|
|
- attack.t1021.002
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection1:
|
|
Image|endswith:
|
|
- '\robocopy.exe'
|
|
- '\xcopy.exe'
|
|
selection2:
|
|
Image|endswith: '\cmd.exe'
|
|
CommandLine|contains: 'copy'
|
|
selection3:
|
|
Image|contains: '\powershell'
|
|
CommandLine|contains:
|
|
- 'copy-item'
|
|
- 'copy'
|
|
- 'cpi '
|
|
- ' cp '
|
|
selection4:
|
|
CommandLine|contains|all:
|
|
- '\\\\'
|
|
- '$'
|
|
condition: (selection1 or selection2 or selection3) and selection4
|
|
fields:
|
|
- CommandLine
|
|
- ParentCommandLine
|
|
falsepositives:
|
|
- Administrative scripts
|
|
level: high
|