Remote File Copy to a Hidden Share
Detects remote file copy attempts to hidden network shares, indicative of lateral movement or data staging, by monitoring command-line tools like cmd.exe and powershell.exe for hidden share patterns.
This rule identifies remote file copy attempts to hidden network shares within Windows environments, activity that can signal lateral movement or data staging. Adversaries may exploit hidden shares for covert file transfers and data exfiltration. The detection focuses on command-line tools like cmd.exe, powershell.exe, xcopy.exe and robocopy.exe, using process monitoring to identify suspicious file copy operations targeting hidden share patterns (e.g., \\\\*\\\\*$). This detection is crucial for identifying potentially unauthorized access and data exfiltration attempts. The rule was initially created in 2020 and last updated on 2026/04/07. It is applicable to various data sources including endpoint logs, Windows Security Event Logs, Sysmon, and data from security platforms like Microsoft Defender XDR, SentinelOne, and Crowdstrike.
Attack Chain
- An attacker gains initial access to a system within the network (e.g., via phishing or exploiting a vulnerability).
- The attacker uses credential access techniques to obtain valid credentials.
- The attacker leverages command-line tools such as
cmd.exeorpowershell.exeto initiate a file copy operation. - The command-line arguments specify a source file or directory and a destination path pointing to a hidden network share (e.g.,
\\server\C$). - The file copy command is executed, transferring the files to the hidden share.
- The attacker may use the copied files as a staging point for further lateral movement.
- The attacker may exfiltrate the staged data from the hidden share to an external location.
Impact
A successful attack can lead to unauthorized access to sensitive data, lateral movement within the network, and data exfiltration. This can result in significant financial losses, reputational damage, and legal liabilities. The rule helps prevent data staging, which is a pre-cursor for data exfiltration, and lateral movement using hidden shares.
Recommendation
- Deploy the Sigma rule
Remote File Copy to Hidden Shareto your SIEM to detect suspicious activity, tuning it for your specific environment. - Enable Sysmon process-creation logging to capture command-line arguments and activate the Sigma rule.
- Review and restrict permissions on network shares, especially hidden shares, to ensure only authorized users have access as described in the investigation guide.
- Investigate any alerts generated by the Sigma rule by following the triage and analysis steps in the documentation.
- Monitor network traffic for any further suspicious activity related to hidden shares and lateral movement attempts as outlined in the references.
Detection coverage 2
Remote File Copy to Hidden Share
mediumDetects processes copying files to hidden network shares, potentially indicating lateral movement or data staging.
Remote File Copy to Hidden Share - Robocopy
mediumDetects robocopy copying files to hidden network shares, potentially indicating lateral movement or data staging.
Detection queries are available on the platform. Get full rules →