Closed
Conversation
Member
|
Hey @fluxwarden , thank you for your suggestion. Adding Robocpy has been proposed before (#51), but unfortunately it does not meet the criteria this project has set out, as the behaviour you're describing is expected for a utility that contains the word For that reason, I'm closing this pull request for now. If you believe my assessment is wrong, please let me know. Thanks again. |
Author
|
Hi @*wietze,*
Thanks for taking a look and for pointing me to the earlier proposal.
I get the concern that robocopy is doing exactly what it says. The intent
here wasn’t to treat normal copy operations as suspicious, but to capture
how *certain flags and usage patterns* tend to show up during
post-compromise activity rather than day-to-day admin work.
In practice, options like /MIR and /PURGE (destructive mirroring), /COPYALL
(ACL and timestamp preservation), ADS handling, or large-scale copies into
temp or user-writable locations can meaningfully support *staging, evasion,
or cleanup*, especially when they’re triggered from unusual parent
processes or by non-admin users. That’s the behavior I was trying to
highlight.
I appreciate the clarification around the project’s criteria and the
feedback overall. Happy to revisit or adjust things if the scope changes
down the line.
Thanks again for the time and for maintaining the project.
Regards,
Raja Singh
…On Sat, Jan 3, 2026 at 3:53 PM Wietze ***@***.***> wrote:
*wietze* left a comment (LOLBAS-Project/LOLBAS#479)
<#479 (comment)>
Hey @fluxwarden <https://github.com/fluxwarden> , thank you for your
suggestion.
Adding Robocpy has been proposed before (#51
<#51>), but unfortunately it
does not meet the criteria
<https://github.com/LOLBAS-Project/LOLBAS?tab=readme-ov-file#criteria>
this project has set out, as the behaviour you're describing is expected
for a utility that contains the word copy.
For that reason, I'm closing this pull request for now. If you believe my
assessment is wrong, please let me know. Thanks again.
—
Reply to this email directly, view it on GitHub
<#479 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AGEOMUNSX7DND5X4EOK6WQD4E6KDJAVCNFSM6AAAAACOWCPILGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTOMBWHE2TMMBXG4>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.