Suspicious Copy.exe Accessing Sensitive Windows Files

Rule Info

Name
Suspicious Copy.exe Accessing Sensitive Windows Files
Author
X__Junior
Description
Detects access to critical Windows security-related files via xcopy.exe or copy, such as the NTDS database and system configuration files. This behavior is commonly associated with credential theft and other malicious activities.
Reference
https://www.elastic.co/security-labs/fragile-web-ref7707
Date
2025-02-24 00:00:00
Modified
None
Id
763670bc-1614-47ea-a56b-5b2e61bfa90c
Tags
attack.defense-evasion
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022