Skip to content

Create Robocopy.yml #479

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
fluxwarden wants to merge 7 commits into from
Closed

Create Robocopy.yml #479

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
73a1c28
Create Robocopy.yml
fluxwarden Dec 11, 2025
43c16b8
Update Robocopy.yml
fluxwarden Dec 11, 2025
529a22a
Create Setx.yml
fluxwarden Dec 11, 2025
9d531af
Delete Setx.yml
fluxwarden Dec 11, 2025
9a7b1e6
Create setx.yml
fluxwarden Dec 11, 2025
9da9c14
Update setx.yml
fluxwarden Dec 11, 2025
005c197
Update setx.yml
fluxwarden Dec 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
80 changes: 80 additions & 0 deletions yml/OSBinaries/Robocopy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
---
Name: Robocopy.exe
Description: built-in Windows utility used for directory replication, metadata-preserving file operations, and backup automation

Aliases: []

Author: Raja Singh
Created: 2025-12-10

Commands:
- Command: robocopy "C:\source" "D:\dest" file.txt /COPYALL /R:0 /W:0
Description: file and directory copying while preserving timestamps, ACLs, and attributes.
Usecase: Detect unusual timestomp-like or stealth file movement behavior.
Category: Copy
Privileges: User or Administrator (depending on source/destination)
MitreID: T1005
OperatingSystem: Windows 7–11; Windows Server 2012–2022
Tags:
- Tag: MetadataPreservation

- Command: robocopy "C:\Source" "D:\Destination" /MIR /R:0 /W:0
Description: replicating entire folder structures and deletes mismatches in the destination.
Usecase: Identify large-scale replication or suspicious mirroring of sensitive directories.
Category: Copy
Privileges: User or Administrator
MitreID: T1074
OperatingSystem: Windows 7–11; Windows Server 2012–2022
Tags:
- Tag: Mirroring

- Command: robocopy "C:\Source" "D:\Destination" file.txt /COPY:DATS /R:0 /W:0
Description: copying NTFS Alternate Data Streams when present in source files.
Usecase: Surface rare ADS movements that may indicate concealment or staging.
Category: ADS
Privileges: User
MitreID: T1564
OperatingSystem: Windows 7–11; Windows Server 2012–2022
Tags:
- Tag: ADS

- Command: robocopy "C:\Source" "$env:TEMP" file.txt /R:0 /W:0
Description: copies files into temporary or user-writable directories.
Usecase: Identify data staging behaviors that may precede exfiltration.
Category: Copy
Privileges: User
MitreID: T1074
OperatingSystem: Windows 7–11; Windows Server 2012–2022
Tags:
- Tag: Staging

Full_Path:
- Path: C:\Windows\System32\robocopy.exe
- Path: C:\Windows\SysWOW64\robocopy.exe

Code_Sample: []

Detection:
- IOC: robocopy.exe process execution
- IOC: Metadata, mirroring, or ADS-related switches observed in command line
- IOC: High-volume or unusual directory replication operations
- IOC: Execution from uncommon parent processes such as office applications or browsers
- IOC: Copy operations targeting temporary or user-writable staging directories
- IOC: Replication of files from sensitive or user-profile locations
- IOC: Use of robocopy.exe with deletion or mirroring flags (/MIR, /PURGE) in unexpected paths
- IOC: robocopy.exe executed by non-administrative users in abnormal contexts
- Sigma: https://github.com/SigmaHQ/sigma/blob/13aae8c1eacb68172fd79f343b23d39aa1773d79/rules/windows/process_creation/proc_creation_win_susp_copy_browser_data.yml#L37
- Sigma: https://github.com/SigmaHQ/sigma/blob/13aae8c1eacb68172fd79f343b23d39aa1773d79/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml#L30
- Sigma: https://github.com/SigmaHQ/sigma/blob/13aae8c1eacb68172fd79f343b23d39aa1773d79/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml#L38
- Sigma: https://github.com/SigmaHQ/sigma/blob/13aae8c1eacb68172fd79f343b23d39aa1773d79/rules/windows/create_remote_thread/create_remote_thread_win_susp_relevant_source_image.yml#L51
- Sigma: https://github.com/SigmaHQ/sigma/blob/13aae8c1eacb68172fd79f343b23d39aa1773d79/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml#L38
- Sigma: https://github.com/SigmaHQ/sigma/blob/13aae8c1eacb68172fd79f343b23d39aa1773d79/unsupported/windows/proc_creation_win_correlation_multiple_susp_cli.yml#L48

Resources:
- Link: https://learn.microsoft.com/windows-server/administration/windows-commands/robocopy
- Link: https://attack.mitre.org/groups/G0045/
- Link: https://www.cisa.gov/news-events/alerts/2018/10/03/advanced-persistent-threat-activity-exploiting-managed-service-providers

Acknowledgement:
- Person: Raja Singh
Handle: '@fluxwarden'
205 changes: 205 additions & 0 deletions yml/OSBinaries/setx.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,205 @@
---
Name: SetX.exe
Description: Microsoft-signed utility used to create or modify user and system environment variables, including registry extraction, remote variable creation, and file parsing.
Aliases:
- Alias: setx64.exe
Author: Raja Singh
Created: 2025-12-10

Commands:

# Basic Variable Assignment
- Command: setx MACHINE COMPAQ
Description: Creates or updates a user environment variable.
Usecase: Persistent variable modification.
Category: Tamper
Privileges: User
MitreID: T1547
OperatingSystem: Windows 7–11; Windows Server 2012–2022
Tags:
- Purpose: EnvModification
- Risk: Persistence

- Command: setx MACHINE "COMPAQ COMPUTER" /M
Description: Creates or updates a system environment variable.
Usecase: System-wide persistence.
Category: Tamper
Privileges: Administrator
MitreID: T1547
OperatingSystem: Windows 7–11; Windows Server 2012–2022
Tags:
- Purpose: SystemPersistence
- Risk: ExecutionHijack

# PATH Hijacking
- Command: setx MYPATH %PATH%
Description: Copies PATH to a new variable.
Usecase: Prepare for PATH hijacking.
Category: Tamper
Privileges: User
MitreID: T1574.009
OperatingSystem: Windows 7–11; Windows Server 2012–2022
Tags:
- Purpose: PathCopy
- Risk: HijackPrep

- Command: setx MYPATH ~PATH~
Description: Copies PATH with tilde expansion.
Usecase: Modify PATH to insert malicious directories.
Category: Tamper
Privileges: User
MitreID: T1574.009
OperatingSystem: Windows 7–11; Windows Server 2012–2022
Tags:
- Purpose: PathManipulation
- Risk: ExecutionHijack

# Remote Execution Context
- Command: setx /S system /U user /P password MACHINE COMPAQ
Description: Creates a variable on a remote host.
Usecase: Remote persistence.
Category: Upload
Privileges: DomainUser
MitreID: T1021
OperatingSystem: Windows 7–11; Windows Server 2012–2022
Tags:
- Purpose: RemoteWrite
- Risk: LateralMovement

- Command: setx /S system /U user /P password MYPATH ^%PATH^%
Description: Writes variables remotely using escaped syntax.
Usecase: Remote environment poisoning.
Category: Upload
Privileges: DomainUser
MitreID: T1021
OperatingSystem: Windows 7–11; Windows Server 2012–2022
Tags:
- Purpose: RemotePoisoning
- Risk: LMPreAttack

# Registry Extraction (/K)
- Command: setx TZONE /K HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation\StandardName
Description: Extracts registry value into an environment variable.
Usecase: Collect system configuration without reg.exe.
Category: Reconnaissance
Privileges: User
MitreID: T1005
OperatingSystem: Windows 7–11; Windows Server 2012–2022
Tags:
- Purpose: RegistryRead
- Risk: DataGathering

- Command: setx BUILD /K "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\CurrentBuildNumber" /M
Description: Extracts build number into a system variable.
Usecase: Persist configuration state.
Category: Reconnaissance
Privileges: Administrator
MitreID: T1547
OperatingSystem: Windows 7–11; Windows Server 2012–2022
Tags:
- Purpose: BuildInfo
- Risk: ReconPersistence

- Command: setx /S system /U user /P password TZONE /K HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation\StandardName
Description: Remote registry extraction.
Usecase: Discovery across hosts.
Category: Upload
Privileges: DomainUser
MitreID: T1021
OperatingSystem: Windows 7–11; Windows Server 2012–2022
Tags:
- Purpose: RemoteRecon
- Risk: LateralMovement

- Command: setx /S system /U user /P password BUILD /K "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\CurrentBuildNumber" /M
Description: Writes system registry values remotely.
Usecase: Cross-host persistence.
Category: Upload
Privileges: DomainAdmin
MitreID: T1021
OperatingSystem: Windows 7–11; Windows Server 2012–2022
Tags:
- Purpose: RemoteBuildWrite
- Risk: CrossHostPersistence

# File Parsing (Syntax 3)
- Command: setx /F ipconfig.out /X
Description: Displays file content via coordinate rendering.
Usecase: Covert file reading.
Category: Reconnaissance
Privileges: User
MitreID: T1083
OperatingSystem: Windows 7–11; Windows Server 2012–2022
Tags:
- Purpose: FileRead
- Risk: DataLeak

- Command: setx IPADDR /F ipconfig.out /A 5,11
Description: Extracts text at file coordinates.
Usecase: Extract sensitive values.
Category: Reconnaissance
Privileges: User
MitreID: T1083
OperatingSystem: Windows 7–11; Windows Server 2012–2022
Tags:
- Purpose: CoordinateExtract
- Risk: SensitiveInfoGrab

- Command: setx OCTET1 /F ipconfig.out /A 5,3 /D "#$*."
Description: Parses file content using custom delimiters.
Usecase: Extract structured data.
Category: Reconnaissance
Privileges: User
MitreID: T1083
OperatingSystem: Windows 7–11; Windows Server 2012–2022
Tags:
- Purpose: DelimiterParsing
- Risk: StructuredLeak

- Command: setx IPGATEWAY /F ipconfig.out /R 0,7 Gateway
Description: Extracts text relative to keyword.
Usecase: Pattern-based extraction.
Category: Reconnaissance
Privileges: User
MitreID: T1083
OperatingSystem: Windows 7–11; Windows Server 2012–2022
Tags:
- Purpose: PatternExtract
- Risk: InfraRecon

- Command: setx /S system /U user /P password /F c:\ipconfig.out /X
Description: Reads file contents remotely.
Usecase: Remote file reconnaissance.
Category: Upload
Privileges: DomainUser
MitreID: T1021
OperatingSystem: Windows 7–11; Windows Server 2012–2022
Tags:
- Purpose: RemoteFileRead
- Risk: LMRecon

Full_Path:
- Path: C:\Windows\System32\setx.exe
- Path: C:\Windows\SysWOW64\setx.exe

Code_Sample:
- Code: setx payload C:\Users\Public\evil.exe
- Code: setx /M COMSPEC C:\Users\Public\cmd.exe
- Code: setx PATH "%PATH%;C:\Temp\bin"
- Code: setx SECRET /K HKCU\Software\MyApp\Config\Password
- Code: setx KEYVAL /F output.txt /A 2,5
- Code: setx /S 10.0.0.8 /U corp\admin /P Pass123 backdoor C:\backdoor.exe

Detection:
- IOC: Modification of PATH, COMSPEC, WINDIR, PATHEXT, TEMP, TMP
- IOC: System variable modification via /M
- IOC: Remote SetX usage via /S /U /P
- IOC: Registry extraction using /K
- IOC: Coordinate-based parsing (/A, /R, /X)

Resources:
- Link: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/setx

Acknowledgement:
- Person: Raja Singh
Handle: '@fluxwarden'