LindoMngadi/svchost_copy_command.yml Secret

## svchost_copy_command.yml
title: Svchost data exfiltration
id: dc4249c9-d96f-401b-a92b-caa6208c097d
status: experimental
description: Detects possible data exfiltration via svchost
references:
    - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
author: Nclose
date: 2021/03/29
tags:
    - attack.exfiltration
    - attack.t1048
logsource:
    product: windows
    service: process_creation
detection:
    selection:
        CommandLine|contains: 'copy'
        Image|endswith: '\svchost.exe'
    condition: selection
falsepositives:
    - Unknown
level: high
	title: Svchost data exfiltration
	id: dc4249c9-d96f-401b-a92b-caa6208c097d
	status: experimental
	description: Detects possible data exfiltration via svchost
	references:
	- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
	author: Nclose
	date: 2021/03/29
	tags:
	- attack.exfiltration
	- attack.t1048
	logsource:
	product: windows
	service: process_creation
	detection:
	selection:
	CommandLine\|contains: 'copy'
	Image\|endswith: '\svchost.exe'
	condition: selection
	falsepositives:
	- Unknown
	level: high