Robocopy Mirror Directory Wipe

Rule Info

Name
Robocopy Mirror Directory Wipe
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects robocopy invoked with /MIR and /B flags, a technique commonly abused by wipers to overwrite entire directory trees by mirroring an empty source folder in backup mode, permanently destroying all file contents.
Reference
https://securelist.com/tr/lotus-wiper/119472/
Date
2026-05-04 00:00:00
Modified
None
Id
c4d5e6f7-a8b9-0c1d-2e3f-4a5b6c7d8e9f
Tags
attack.impact attack.t1485
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022