Look for Copy function

Hunt Hypothesis

Adversaries may use the Copy function to exfiltrate data or move laterally within the environment. SOC teams should proactively hunt for this behavior as it could indicate data manipulation or unauthorized transfers that may evade traditional detection methods.

YARA Rule

rule Delphi_Copy {
	meta:
		author = "_pusher_"
		description = "Look for Copy function"
		date = "2016-06"
		version = "0.1"
	strings:
		$c0 = { 53 85 C0 74 2D 8B 58 FC 85 DB 74 26 4A 7C 1B 39 DA 7D 1F 29 D3 85 C9 7C 19 39 D9 7F 11 01 C2 8B 44 24 08 E8 ?? ?? ?? ?? EB 11 31 D2 EB E5 89 D9 EB EB 8B 44 24 08 E8 ?? ?? ?? ?? 5B C2 04 00 }
		//x64 rad
		$c1 = { 53 48 83 EC 20 48 89 CB 44 89 C0 48 33 C9 48 85 D2 74 03 8B 4A FC 83 F8 01 7D 05 48 33 C0 EB 09 83 E8 01 3B C1 7E 02 89 C8 45 85 C9 7D 05 48 33 C9 EB 0A 2B C8 41 3B C9 7E 03 44 89 C9 49 89 D8 48 63 C0 48 8D 14 42 89 C8 4C 89 C1 41 89 C0 E8 ?? ?? ?? ?? 48 89 D8 48 83 C4 20 5B C3 }
	condition:
		any of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A system administrator is using rsync to perform a scheduled backup of user home directories.
  Filter/Exclusion: Exclude processes associated with rsync or check for known backup tools in the process name or command line.

• Scenario: A developer is using Git to clone a repository, which involves copying files from a remote server.
  Filter/Exclusion: Exclude processes related to git clone or check for Git-related command-line arguments in the event data.

• Scenario: A database administrator is using mysqldump to export a database to a local file system.
  Filter/Exclusion: Exclude processes containing mysqldump in the command line or filter by known database export tools.

• Scenario: A user is copying files using Robocopy (Windows) as part of a routine file synchronization task.
  Filter/Exclusion: Exclude processes with robocopy in the command line or filter by known file synchronization tools.

• Scenario: A system update job is using scp (Secure Copy) to transfer files between servers during a patch deployment.
  Filter/Exclusion: Exclude processes containing scp or filter by known system update or deployment tools.