This detection rule identifies suspicious behaviors associated with the copying of Living Off The Land Binaries (LOLBINs) from Windows system directories (such as System32, SysWOW64, and WinSxS) to various locations on disk. The primary aim of this behavior is to evade detection mechanisms that look for executions of well-known system binaries in their typical directories. The rule specifically targets processes invoking command-line utilities like cmd.exe and PowerShell, as well as tools like robocopy.exe and xcopy.exe, when commands related to copying are detected alongside specific LOLBINs. Caution is advised regarding potential false positives, as the source of the rule's detection can lead to legitimate operations being flagged. The rule has been designed to trigger ascendant conditions whereby a copying operation involving selected tools must occur in conjunction with the specification of system directory paths and known LOLBINs.