This detection rule identifies the unauthorized copying of Windows system utilities from the 'system32' or 'syswow64' directories. Adversaries often manipulate artifacts to blend in with legitimate processes to evade security tools and user scrutiny. Techniques such as masquerading involve renaming malicious files or altering their attributes to mimic legitimate software. This rule specifically looks for commands like 'Copy-Item', 'copy', 'xcopy', 'cp', 'cpi', and 'robocopy' executed under processes that involve the aforementioned system directories. Detection is dependent on the creation of a new process or when PowerShell logging is enabled. It leverages a combination of endpoint data and EDR logs to monitor for these suspicious activities, compiling a record of relevant actions for further analysis.