Rule: -- Sid: 497 -- Summary: This event is generated by the successful completion of a file transfer operation. This may be indicative of post-compromise behavior indicating the use of a Windows command shell for copying files. -- Impact: Serious. An attacker may have the ability to transfer files from the victim host. -- Detailed Information: This event indicates that a file was successfully copied using Windows command line shell. The string "1 file(s) copied" is shown after the successful completion of a Windows "copy" command. Seeing this response in HTTP traffic indicates that an attacker may have been able to spawn a shell bound to a web port and has successfully executed the copy command. Note that the source address of this event is actually the victim and not that of the attacker. -- Attack Scenarios: An attacker gains an access to a Windows web server via an IIS vulnerability and then copies "cmd.exe" into the directory accessible by the web server, thus creating a backdoor to access the system. -- Ease of Attack: Simple. This may be post-attack behavior and can be indicative of the successful exploitation of a vulnerable system. -- False Positives: None Known -- False Negatives: None Known -- Corrective Action: Investigate the web server for other signs of compromise Look for other events generated by the same IP addresses. -- Contributors: Original rule writer unknown Snort documentation contributed by Anton Chuvakin <http://www.chuvakin.org> Sourcefire Research Team Nigel Houghton <nigel.houghton@sourcefire.com> -- Additional References: --