Potentially Suspicious Ping/Copy Command Combination

    Monday, January 13, 2025 In: Threat Research Print

    Date: 01/13/2025

    Severity: Medium

    Summary

    "Potentially Suspicious Ping/Copy Command Combination" refers to the use of a command that combines both "ping" (typically used for network testing) and "copy" (used to duplicate files) in a single line. This unusual combination can be a red flag for malware activity, as attackers might use it to exfiltrate data or communicate with remote servers while attempting to evade detection. Such commands are uncommon in normal operations and warrant further investigation for potential malicious intent.

    Indicators of Compromise (IOC) List

    Image

    '\cmd.exe'

    OriginalFileName

    'Cmd.Exe'

    CommandLine

    'ping'

    'copy '

    ' -n '

    ' -y '

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    (resourcename in ("Windows Security" ) AND eventtype = "4688" AND newprocessname like "\cmd.exe" AND processname like "Cmd.Exe" AND commandline like "ping" AND commandline like "copy" AND commandline like "-n" AND commandline like "-y")

    Detection Query 2

    (technologygroup = "EDR" AND newprocessname like "\cmd.exe" AND processname like "Cmd.Exe" AND commandline like "ping" AND commandline like "copy" AND commandline like "-n" AND commandline like "-y")

    Reference: 

    https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml         


    Tags

    MalwareSigma

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.