Skip to content

Hide Navigation Hide TOC

Suspicious Copy From or To System Directory (fff9d2b7-e11c-4a69-93d3-40ef66189767)

Detects a suspicious copy operation that tries to copy a program from system (System32, SysWOW64, WinSxS) directories to another on disk. Often used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations.

Cluster A Galaxy A Cluster B Galaxy B Level
Suspicious Copy From or To System Directory (fff9d2b7-e11c-4a69-93d3-40ef66189767) Sigma-Rules Rename System Utilities - T1036.003 (bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b) Attack Pattern 1
Rename System Utilities - T1036.003 (bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 2