This rule aims to detect suspicious file copy operations from the System32 or SysWow64 directories, which are often indicative of malicious activities, particularly targeting Windows endpoints. The analytic uses data from Endpoint Detection and Response (EDR) solutions, specifically monitoring processes initiated by command-line tools like cmd.exe, PowerShell, and others. The intended purpose is to identify legitimate system tool abuse (Living Off The Land Binaries - LOLBIN) that attackers may exploit to execute malicious code without raising immediate alarms. If this behavior is confirmed malicious, it may lead to arbitrary code execution, system compromise, or lateral movement within a network. The rule utilizes multiple data sources such as Sysmon events and Windows Event Log security records to correlate and identify potentially harmful actions, thus enhancing overall endpoint security.