Remote File Copy to a Hidden Share

This detection rule identifies attempts to copy files to hidden network shares in Windows environments, which can be indicative of lateral movement or data staging by malicious actors. Attackers may leverage hidden shares, typically used for legitimate administrative purposes, to move laterally within a network or to stage data for exfiltration without being easily detected. The rule focuses on detecting the use of command-line tools such as cmd.exe and powershell.exe with arguments that specify the copying of files to network paths that match a hidden share pattern (e.g., \\\\*\\\\*$). This activity helps identify suspicious file transfer operations that deviate from normal administrative or user behavior. The rule was last updated on 2026/05/04.

Attack Chain

1. An attacker gains initial access to a compromised host within the network.
2. The attacker uses cmd.exe or powershell.exe to execute a file copy command.
3. The command line includes arguments to copy files to a hidden network share (e.g., \\\\<server>\\<hidden_share>$).
4. The copy, move, cp, or mv commands are used to transfer the file.
5. The target hidden share is accessed using the compromised account’s credentials.
6. The file is successfully copied to the hidden share.
7. The attacker may then access the copied file from another compromised host.
8. The attacker proceeds to exfiltrate the staged data or uses the copied files for lateral movement.

Impact

A successful attack can lead to unauthorized access to sensitive data, lateral movement to other systems within the network, and potential data exfiltration. While the number of victims and specific sectors targeted are not specified, a successful compromise can significantly impact an organization’s data security and overall network integrity. The impact includes potential data loss, reputational damage, and disruption of normal business operations.

Recommendation

• Deploy the “Detect Remote File Copy to Hidden Share” Sigma rule to your SIEM and tune for your environment to detect suspicious file copy activities.
• Enable Sysmon process-creation logging to capture the command-line arguments used in file copy operations, activating the rule above.
• Review and restrict permissions on network shares, especially hidden shares, to ensure only authorized users have access, as described in the investigation guide.
• Investigate any alerts generated by the Sigma rule by examining the process details (cmd.exe, powershell.exe) and the network share path, as outlined in the investigation guide.
• Correlate events with other logs or alerts from the same host or user to identify any additional suspicious activities, enhancing the detection capabilities.