Skip to content

Update: Suspicious Copy From or To System Directory #5482

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Update: Suspicious Copy From or To System Directory #5482

wants to merge 5 commits into from

Conversation

swachchhanda000
Copy link
Collaborator

@swachchhanda000 swachchhanda000 commented Jun 16, 2025
edited by phantinuss
Loading

Summary of the Pull Request

Skeleton Spider abused the xcopy utility to copy ie4unit.exe from system32 to %AppData%\Microsoft\ to execute malicious inf file.

Changelog

fix: Suspicious Copy From or To System Directory - add FP filter
update: LOL-Binary Copied From System Directory - add new LOLBIN

Example Log Event

Screenshot 2025-06-16 at 1 19 00 PM 
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
  <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385f-c22a-43e0-bf4c-06f5698ffbd9}" /> 
  <EventID>1</EventID> 
  <Version>5</Version> 
  <Level>4</Level> 
  <Task>1</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8000000000000000</Keywords> 
  <TimeCreated SystemTime="2025-06-16T07:33:35.6879240Z" /> 
  <EventRecordID>15530</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="3208" ThreadID="1724" /> 
  <Channel>Microsoft-Windows-Sysmon/Operational</Channel> 
  <Computer>swachchhanda</Computer> 
  <Security UserID="S-1-5-18" /> 
  </System>
<EventData>
  <Data Name="RuleName">-</Data> 
  <Data Name="UtcTime">2025-06-16 07:33:35.678</Data> 
  <Data Name="ProcessGuid">{0197231e-c8cf-684f-bb0c-000000000800}</Data> 
  <Data Name="ProcessId">4036</Data> 
  <Data Name="Image">C:\Windows\System32\Robocopy.exe</Data> 
  <Data Name="FileVersion">10.0.26100.2454 (WinBuild.160101.0800)</Data> 
  <Data Name="Description">Microsoft Robocopy</Data> 
  <Data Name="Product">Microsoft® Windows® Operating System</Data> 
  <Data Name="Company">Microsoft Corporation</Data> 
  <Data Name="OriginalFileName">robocopy.exe</Data> 
  <Data Name="CommandLine">C:\Windows\System32\Robocopy.exe</Data> 
  <Data Name="CurrentDirectory">C:\Users\xodih\</Data> 
  <Data Name="User">swachchhanda\xodih</Data> 
  <Data Name="LogonGuid">{0197231e-ab9f-67aa-fb17-030000000000}</Data> 
  <Data Name="LogonId">0x317fb</Data> 
  <Data Name="TerminalSessionId">1</Data> 
  <Data Name="IntegrityLevel">Medium</Data> 
  <Data Name="Hashes">MD5=2EA5C0894599E1D4676E16FE90B94E1B,SHA256=941C6E630013EC14889ABAB2F1537E8BABD2FAF3D257A27291A2FEC9F342075F,IMPHASH=43593296F7AE635E6B02BE8BA81A3AFD</Data> 
  <Data Name="ParentProcessGuid">{0197231e-c44f-684f-f90b-000000000800}</Data> 
  <Data Name="ParentProcessId">956</Data> 
  <Data Name="ParentImage">C:\Windows\System32\cmd.exe</Data> 
  <Data Name="ParentCommandLine">"C:\WINDOWS\system32\cmd.exe"</Data> 
  <Data Name="ParentUser">swachchhanda\xodih</Data> 
  </EventData>
  </Event>

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions bot added Rules Windows Pull request add/update windows related rules labels Jun 16, 2025
swachchhanda000
swachchhanda000 commented Jun 16, 2025
View reviewed changes
rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml Outdated
Comment on lines 46 to 56
- '\System32'
- '\SysWOW64'
- '\WinSxS'
condition: 1 of selection_* and target
filter_main_cmd:
CommandLine|endswith:
- 'C:\Windows\System32\xcopy.exe'
- 'C:\Windows\SysWOW64\xcopy.exe'
- 'C:\Windows\System32\robocopy.exe'
- 'C:\Windows\SysWOW64\robocopy.exe'
condition: 1 of selection_* and target and not 1 of filter_main_*
falsepositives:
Copy link
Collaborator Author

@swachchhanda000 swachchhanda000 Jun 16, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- '\System32'
- '\SysWOW64'
- '\WinSxS'
condition: 1 of selection_* and target
filter_main_cmd:
CommandLine|endswith:
- 'C:\Windows\System32\xcopy.exe'
- 'C:\Windows\SysWOW64\xcopy.exe'
- 'C:\Windows\System32\robocopy.exe'
- 'C:\Windows\SysWOW64\robocopy.exe'
condition: 1 of selection_* and target and not 1 of filter_main_*
falsepositives:
- ' C:\Windows\System32'
- ' C:\Windows\SysWOW64'
- ' C:\Windows\WinSxS'
- ' "C:\Windows\System32'
- ' "C:\Windows\SysWOW64'
- ' "C:\Windows\WinSxS'
- " 'C:\Windows\System32"
- " 'C:\Windows\SysWOW64"
- " 'C:\Windows\WinSxS"
condition: 1 of selection_* and target
falsepositives:

Even though I have added the filter, it would still have fp on legitimate cases like C:\Windows\System32\xcopy.exe C:\Test C:\Test\A.
So, I propose we add preceding space with the full paths. This way, the filter more accurately matches only the intended directory references and avoids executables being run from those locations (e.g., cmd.exe, robocopy.exe, etc.).

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like this approach much better.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The line 53-36 caused parsing issue, thus I had to use regex as last resort

phantinuss
phantinuss approved these changes Jul 28, 2025
View reviewed changes
rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml
- '\System32'
- '\SysWOW64'
- '\WinSxS'
CommandLine|re: (?i)\s[\s'"]?C:\\Windows\\((System32|SysWOW64|WinSxS))
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
CommandLine|re: (?i)\s[\s'"]?C:\\Windows\\((System32|SysWOW64|WinSxS))
CommandLine|re|i: \s['"]?C:\\Windows\\(System32|SysWOW64|WinSxS)

rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml
@@ -13,7 +13,7 @@ references:
- https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/
author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems)
date: 2020-07-03
modified: 2023-08-29
modified: 2025-06-16
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
modified: 2025-06-16
modified: 2025-07-28

rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-29
date: 2025-06-16
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
date: 2025-06-16
date: 2023-08-29
modified: 2025-07-28

@phantinuss phantinuss added the 2nd Review Needed PR need a second approval label Jul 29, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@phantinuss phantinuss phantinuss approved these changes

Assignees
No one assigned
Labels
2nd Review Needed PR need a second approval Rules Windows Pull request add/update windows related rules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@swachchhanda000 @phantinuss