PUA - HoboCopy Execution

Rule Info

Name
PUA - HoboCopy Execution
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the execution of HoboCopy, a command-line tool that can be used to copy locked files using Volume Shadow Copy Service (VSS). This tool can be abused by attackers to copy sensitive files like SAM, SYSTEM, or NTDS.dit. Event though it can be used for legitimate backup purposes, its presence in modern Windows environments is very rare and potentially associated with malicious activity.
Reference
https://x.com/malmoeb/status/2005925149917286838
Date
2026-03-27 00:00:00
Modified
None
Id
5a8a5e24-1e7b-4a3c-8f5d-2b9e4c6d8f1a
Tags
attack.collection attack.t1005 attack.credential-access attack.t1003.002 attack.t1003.003
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022