diff --git a/yml/OSBinaries/Robocopy.yml b/yml/OSBinaries/Robocopy.yml new file mode 100644 index 00000000..5ead9ac4 --- /dev/null +++ b/yml/OSBinaries/Robocopy.yml @@ -0,0 +1,78 @@ +--- +Name: Robocopy.exe +Description: Robocopy is a built-in Windows utility used for directory replication, metadata-preserving file operations, and backup automation. Certain behaviors such as metadata preservation, ADS copying, or mirroring can be abused by adversaries. + +Aliases: [] + +Author: Raja Singh +Created: 2025-12-10 + +Commands: + - Command: robocopy "C:\source" "D:\dest" file.txt /COPYALL /R:0 /W:0 + Description: File and directory copying while preserving timestamps, ACLs, and attributes. + Usecase: Detect timestomp-like or stealth movement of files. + Category: Copy + Privileges: User + MitreID: T1005 + OperatingSystem: ["Windows"] + Tags: + - MetadataPreservation + + - Command: robocopy "C:\Source" "D:\Destination" /MIR /R:0 /W:0 + Description: Replicates entire folder structures and deletes mismatches in the destination. + Usecase: Identify large-scale replication or suspicious mirroring of sensitive directories. + Category: Copy + Privileges: User + MitreID: T1074 + OperatingSystem: ["Windows"] + Tags: + - Mirroring + + - Command: robocopy "C:\Source" "D:\Destination" file.txt /COPY:DATS /R:0 /W:0 + Description: Copies NTFS Alternate Data Streams (ADS) when present in source files. + Usecase: Detect ADS movement used for concealment or staging. + Category: ADS + Privileges: User + MitreID: T1564 + OperatingSystem: ["Windows"] + Tags: + - ADS + + - Command: robocopy "C:\Source" "$env:TEMP" file.txt /R:0 /W:0 + Description: Copies files into temporary or user-writable directories. + Usecase: Identify staging behaviors preceding exfiltration. + Category: Copy + Privileges: User + MitreID: T1074 + OperatingSystem: ["Windows"] + Tags: + - Staging + +Full_Path: + - C:\Windows\System32\robocopy.exe + - C:\Windows\SysWOW64\robocopy.exe + +Code_Sample: [] + +Detection: + - IOC: robocopy.exe process execution + - IOC: Presence of metadata or mirroring switches (/COPYALL, /MIR, /COPY:DATS) + - IOC: High-volume or unusual directory replication activity + - IOC: Execution from uncommon parents such as Office applications or browsers + - IOC: Use of temp or writable user directories as replication targets + - IOC: Replication from sensitive or user-profile directories + - IOC: Mirroring or deletion flags used unexpectedly (/MIR, /PURGE) + - IOC: robocopy.exe executed by non-administrative users in abnormal contexts + - Sigma: https://github.com/SigmaHQ/sigma/blob/13aae8c1eacb68172fd79f343b23d39aa1773d79/rules/windows/process_creation/proc_creation_win_susp_copy_browser_data.yml#L37 + - Sigma: https://github.com/SigmaHQ/sigma/blob/13aae8c1eacb68172fd79f343b23d39aa1773d79/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml#L30 + - Sigma: https://github.com/SigmaHQ/sigma/blob/13aae8c1eacb68172fd79f343b23d39aa1773d79/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml#L38 + - Sigma: https://github.com/SigmaHQ/sigma/blob/13aae8c1eacb68172fd79f343b23d39aa1773d79/unsupported/windows/proc_creation_win_correlation_multiple_susp_cli.yml#L48 + +Resources: + - https://learn.microsoft.com/windows-server/administration/windows-commands/robocopy + - https://attack.mitre.org/groups/G0045/ + - https://www.cisa.gov/news-events/alerts/2018/10/03/advanced-persistent-threat-activity-exploiting-managed-service-providers + +Acknowledgement: + - Person: Raja Singh + Handle: '@fluxwarden'