-
Notifications
You must be signed in to change notification settings - Fork 232
Expand file tree
/
Copy pathcopy-file.yml
More file actions
33 lines (33 loc) · 827 Bytes
/
copy-file.yml
File metadata and controls
33 lines (33 loc) · 827 Bytes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
rule:
meta:
name: copy file
namespace: host-interaction/file-system/copy
authors:
- moritz.raabe@mandiant.com
- michael.hunhoff@mandiant.com
scopes:
static: function
dynamic: call
mbc:
- File System::Copy File [C0045]
examples:
- Practical Malware Analysis Lab 01-01.exe_:0x401440
features:
- or:
- api: kernel32.CopyFile
- api: kernel32.CopyFileEx
- api: CopyFile2
- api: CopyFileTransacted
- api: LZCopy
- api: System.IO.FileInfo::CopyTo
- api: System.IO.File::Copy
- basic block:
- and:
- number: 2 = FO_COPY
- or:
- api: kernel32.SHFileOperation
- call:
- and:
- number: 2 = FO_COPY
- or:
- api: kernel32.SHFileOperation