LOLBAS-Project · fluxwarden · Dec 10, 2025 · Dec 10, 2025 · Dec 10, 2025 · Dec 10, 2025
@@ -0,0 +1,78 @@
+---
+Name: Robocopy.exe
+Description: Robocopy is a built-in Windows utility used for directory replication, metadata-preserving file operations, and backup automation. Certain behaviors such as metadata preservation, ADS copying, or mirroring can be abused by adversaries.
+
+Aliases: []
+
+Author: Raja Singh
+Created: 2025-12-10
+
+Commands:
+  - Command: robocopy "C:\source" "D:\dest" file.txt /COPYALL /R:0 /W:0
+    Description: File and directory copying while preserving timestamps, ACLs, and attributes.
+    Usecase: Detect timestomp-like or stealth movement of files.
+    Category: Copy
+    Privileges: User
+    MitreID: T1005
+    OperatingSystem: ["Windows"]
+    Tags:
+      - MetadataPreservation
+
+  - Command: robocopy "C:\Source" "D:\Destination" /MIR /R:0 /W:0
+    Description: Replicates entire folder structures and deletes mismatches in the destination.
+    Usecase: Identify large-scale replication or suspicious mirroring of sensitive directories.
+    Category: Copy
+    Privileges: User
+    MitreID: T1074
+    OperatingSystem: ["Windows"]
+    Tags:
+      - Mirroring
+
+  - Command: robocopy "C:\Source" "D:\Destination" file.txt /COPY:DATS /R:0 /W:0
+    Description: Copies NTFS Alternate Data Streams (ADS) when present in source files.
+    Usecase: Detect ADS movement used for concealment or staging.
+    Category: ADS
+    Privileges: User
+    MitreID: T1564
+    OperatingSystem: ["Windows"]
+    Tags:
+      - ADS
+
+  - Command: robocopy "C:\Source" "$env:TEMP" file.txt /R:0 /W:0
+    Description: Copies files into temporary or user-writable directories.
+    Usecase: Identify staging behaviors preceding exfiltration.
+    Category: Copy
+    Privileges: User
+    MitreID: T1074
+    OperatingSystem: ["Windows"]
+    Tags:
+      - Staging
+
+Full_Path:
+  - C:\Windows\System32\robocopy.exe
+  - C:\Windows\SysWOW64\robocopy.exe
+
+Code_Sample: []
+
+Detection:
+  - IOC: robocopy.exe process execution
+  - IOC: Presence of metadata or mirroring switches (/COPYALL, /MIR, /COPY:DATS)
+  - IOC: High-volume or unusual directory replication activity
+  - IOC: Execution from uncommon parents such as Office applications or browsers
+  - IOC: Use of temp or writable user directories as replication targets
+  - IOC: Replication from sensitive or user-profile directories
+  - IOC: Mirroring or deletion flags used unexpectedly (/MIR, /PURGE)
+  - IOC: robocopy.exe executed by non-administrative users in abnormal contexts
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/13aae8c1eacb68172fd79f343b23d39aa1773d79/rules/windows/process_creation/proc_creation_win_susp_copy_browser_data.yml#L37
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/13aae8c1eacb68172fd79f343b23d39aa1773d79/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml#L30
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/13aae8c1eacb68172fd79f343b23d39aa1773d79/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml#L38
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/13aae8c1eacb68172fd79f343b23d39aa1773d79/unsupported/windows/proc_creation_win_correlation_multiple_susp_cli.yml#L48
+
+Resources:
+  - https://learn.microsoft.com/windows-server/administration/windows-commands/robocopy
+  - https://attack.mitre.org/groups/G0045/
+  - https://www.cisa.gov/news-events/alerts/2018/10/03/advanced-persistent-threat-activity-exploiting-managed-service-providers
+
+Acknowledgement:
+  - Person: Raja Singh
+    Handle: '@fluxwarden'