T1070.010

Relocate Malware

Once a payload is delivered, adversaries may reproduce copies of the same malware on the victim system to remove evidence of their presence and/or avoid defenses. Copying malware payloads to new locations may be combined with file deletion to clean up older artifacts. Adversaries may rename payloads to blend into the local environment, target file/path exclusions (such as AV exclusion directories), or position payloads in persistence-related directories. Moving payloads does not alter the Creation timestamp, evading detection logic reliant on file creation time modifications.

Microsoft Sentinel / Defender

kusto

let SuspiciousTargetPaths = dynamic([
  "\\AppData\\Roaming\\",
  "\\AppData\\Local\\Temp\\",
  "\\ProgramData\\",
  "\\Windows\\Temp\\",
  "\\Users\\Public\\",
  "\\Windows\\System32\\",
  "\\Windows\\SysWOW64\\",
  "\\Recycle",
  "\\$Recycle.Bin"
]);
let SuspiciousExtensions = dynamic([
  ".exe", ".dll", ".bat", ".ps1", ".vbs", ".js", ".hta", ".cmd", ".scr", ".cpl", ".pif"
]);
let CopyTools = dynamic([
  "cmd.exe", "powershell.exe", "pwsh.exe", "xcopy.exe", "robocopy.exe", "copy", "cp"
]);
// Detect file copy/move via process command lines
let ProcessCopyEvents = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "xcopy.exe", "robocopy.exe")
| where ProcessCommandLine has_any ("copy ", "xcopy ", "robocopy ", "Copy-Item", "Move-Item", "cp ", "mv ", "move ")
| where ProcessCommandLine has_any (SuspiciousExtensions)
| extend TargetsSuspiciousPath = ProcessCommandLine has_any (SuspiciousTargetPaths)
| extend IsRename = ProcessCommandLine has_any ("ren ", "rename ", "Rename-Item", "mv ")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          TargetsSuspiciousPath, IsRename, FolderPath, ProcessId
| extend EventSource = "ProcessCopy";
// Detect file creation events in suspicious directories for executable types
let FileCopyEvents = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileRenamed")
| where FolderPath has_any (SuspiciousTargetPaths)
| where FileName has_any (SuspiciousExtensions)
| where InitiatingProcessFileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "xcopy.exe", "robocopy.exe", "explorer.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName,
          FileName, FolderPath, ActionType,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessId, SHA256
| extend EventSource = "FileCopy", TargetsSuspiciousPath = true, IsRename = (ActionType == "FileRenamed");
ProcessCopyEvents
| union FileCopyEvents
| sort by Timestamp desc

medium severity medium confidence

Data Sources

Process: Process Creation File: File Creation File: File Modification Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceFileEvents

False Positives

Software installers and update mechanisms that copy executables to Program Files or Windows directories
IT administrators using robocopy or xcopy for legitimate software deployment and patch management
Antivirus or EDR quarantine operations that move suspicious files to quarantine directories
Legitimate application self-update routines that copy new versions to AppData or Temp before replacing the original
Backup software copying executable files as part of scheduled backup operations

Splunk

spl

index=wineventlog (
  (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
  OR
  (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11)
)
| eval EventType=case(
    EventCode=1, "ProcessCreate",
    EventCode=11, "FileCreate",
    true(), "Unknown"
  )
| eval CommandOrTarget=coalesce(CommandLine, TargetFilename)
| eval IsExecutable=if(match(CommandOrTarget, "(?i)\.(exe|dll|bat|ps1|vbs|js|hta|cmd|scr|cpl|pif)("|$|\s)"), 1, 0)
| eval SuspiciousPath=if(match(CommandOrTarget, "(?i)(\\appdata\\roaming|\\appdata\\local\\temp|\\programdata|\\windows\\temp|\\users\\public|\\windows\\system32|\\windows\\syswow64|\$recycle\.bin|recycle)"), 1, 0)
| eval CopyAction=if(
    EventCode=1 AND match(lower(CommandLine), "(\scopy\s|xcopy|robocopy|copy-item|move-item|\smove\s|\bcp\s|\bmv\s|\bren\s|rename-item)"),
    1, 0
  )
| eval FileDropped=if(EventCode=11 AND (match(Image, "(?i)(cmd|powershell|pwsh|xcopy|robocopy|wscript|cscript|mshta)\.exe")), 1, 0)
| eval SuspicionScore=IsExecutable + SuspiciousPath + CopyAction + FileDropped
| where SuspicionScore >= 2
| eval ParentOrInitiator=coalesce(ParentImage, Image)
| table _time, host, User, EventType, Image, CommandOrTarget, ParentImage, ParentCommandLine, IsExecutable, SuspiciousPath, CopyAction, FileDropped, SuspicionScore
| sort - SuspicionScore, - _time

medium severity medium confidence

Data Sources

Process: Process Creation File: File Creation Sysmon Event ID 1 Sysmon Event ID 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Software installers and update mechanisms that copy executables to Program Files or Windows directories
IT administrators using robocopy or xcopy for legitimate software deployment and patch management
Antivirus or EDR quarantine operations that move suspicious files to quarantine directories
Legitimate application self-update routines that copy new versions to AppData or Temp before replacing the original
Backup software copying executable files as part of scheduled backup operations

Elastic Security (EQL)

eql

any where
  (
    event.category == "process" and
    host.os.type == "windows" and
    process.name in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "xcopy.exe", "robocopy.exe") and
    (
      process.command_line like~ "* copy *" or
      process.command_line like~ "*xcopy *" or
      process.command_line like~ "*robocopy *" or
      process.command_line like~ "*Copy-Item*" or
      process.command_line like~ "*Move-Item*" or
      process.command_line like~ "* move *" or
      process.command_line like~ "*Rename-Item*"
    ) and
    (
      process.command_line like~ "*.exe*" or
      process.command_line like~ "*.dll*" or
      process.command_line like~ "*.bat*" or
      process.command_line like~ "*.ps1*" or
      process.command_line like~ "*.vbs*" or
      process.command_line like~ "*.hta*" or
      process.command_line like~ "*.cmd*" or
      process.command_line like~ "*.scr*" or
      process.command_line like~ "*.pif*"
    )
  ) or
  (
    event.category == "file" and
    host.os.type == "windows" and
    event.action in~ ("creation", "rename") and
    (
      file.path like~ "*\\AppData\\Roaming\\*" or
      file.path like~ "*\\AppData\\Local\\Temp\\*" or
      file.path like~ "*\\ProgramData\\*" or
      file.path like~ "*\\Windows\\Temp\\*" or
      file.path like~ "*\\Users\\Public\\*" or
      file.path like~ "*\\Windows\\System32\\*" or
      file.path like~ "*\\Windows\\SysWOW64\\*" or
      file.path like~ "*\\Recycle*"
    ) and
    file.extension in~ ("exe", "dll", "bat", "ps1", "vbs", "js", "hta", "cmd", "scr", "cpl", "pif") and
    process.name in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "xcopy.exe", "robocopy.exe", "explorer.exe", "wscript.exe", "cscript.exe", "mshta.exe")
  )

high severity medium confidence

Data Sources

Elastic Endpoint Security agent Winlogbeat with Sysmon for Windows Elastic Agent endpoint integration

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-* winlogbeat-*

False Positives

IT administrators using robocopy or xcopy to deploy or migrate software packages to ProgramData or System32 during sanctioned maintenance windows, which will satisfy both the copy-command and suspicious-path conditions simultaneously
Software installers (MSI, NSIS, Inno Setup) that invoke cmd.exe or PowerShell child processes to stage executable files in AppData or ProgramData as part of legitimate application installation workflows
Endpoint Detection and Response or antivirus products that move quarantined payloads to Temp or Recycle directories, generating file creation events attributed to their own process name which may itself match the LOLBin allowlist

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip AS source_ip,
  username,
  QIDNAME(qid) AS event_name,
  "EventID" AS sysmon_event_id,
  "Image" AS process_image,
  "CommandLine" AS command_line,
  "TargetFilename" AS target_filename,
  "ParentImage" AS parent_image,
  "ParentCommandLine" AS parent_command_line
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) ILIKE '%Sysmon%'
  AND starttime > NOW() - 86400000
  AND (
    (
      "EventID" = '1'
      AND (
        LOWER("CommandLine") LIKE '% copy %' OR
        LOWER("CommandLine") LIKE '%xcopy%' OR
        LOWER("CommandLine") LIKE '%robocopy%' OR
        LOWER("CommandLine") LIKE '%copy-item%' OR
        LOWER("CommandLine") LIKE '%move-item%' OR
        LOWER("CommandLine") LIKE '% move %' OR
        LOWER("CommandLine") LIKE '%rename-item%'
      )
      AND (
        LOWER("CommandLine") LIKE '%.exe%' OR
        LOWER("CommandLine") LIKE '%.dll%' OR
        LOWER("CommandLine") LIKE '%.bat%' OR
        LOWER("CommandLine") LIKE '%.ps1%' OR
        LOWER("CommandLine") LIKE '%.vbs%' OR
        LOWER("CommandLine") LIKE '%.hta%' OR
        LOWER("CommandLine") LIKE '%.cmd%' OR
        LOWER("CommandLine") LIKE '%.scr%' OR
        LOWER("CommandLine") LIKE '%.pif%'
      )
    )
    OR (
      "EventID" = '11'
      AND (
        LOWER("TargetFilename") LIKE '%\\appdata\\roaming\\%' OR
        LOWER("TargetFilename") LIKE '%\\appdata\\local\\temp\\%' OR
        LOWER("TargetFilename") LIKE '%\\programdata\\%' OR
        LOWER("TargetFilename") LIKE '%\\windows\\temp\\%' OR
        LOWER("TargetFilename") LIKE '%\\users\\public\\%' OR
        LOWER("TargetFilename") LIKE '%\\windows\\system32\\%' OR
        LOWER("TargetFilename") LIKE '%\\windows\\syswow64\\%' OR
        LOWER("TargetFilename") LIKE '%recycle%'
      )
      AND (
        LOWER("TargetFilename") LIKE '%.exe' OR
        LOWER("TargetFilename") LIKE '%.dll' OR
        LOWER("TargetFilename") LIKE '%.bat' OR
        LOWER("TargetFilename") LIKE '%.ps1' OR
        LOWER("TargetFilename") LIKE '%.vbs' OR
        LOWER("TargetFilename") LIKE '%.hta' OR
        LOWER("TargetFilename") LIKE '%.cmd' OR
        LOWER("TargetFilename") LIKE '%.scr' OR
        LOWER("TargetFilename") LIKE '%.pif'
      )
      AND (
        LOWER("Image") LIKE '%cmd.exe' OR
        LOWER("Image") LIKE '%powershell.exe' OR
        LOWER("Image") LIKE '%pwsh.exe' OR
        LOWER("Image") LIKE '%xcopy.exe' OR
        LOWER("Image") LIKE '%robocopy.exe' OR
        LOWER("Image") LIKE '%wscript.exe' OR
        LOWER("Image") LIKE '%cscript.exe' OR
        LOWER("Image") LIKE '%mshta.exe'
      )
    )
  )
ORDER BY starttime DESC

high severity medium confidence

Data Sources

IBM QRadar SIEM with Microsoft Sysmon DSM Windows Event Log source forwarding Sysmon Operational channel

Required Tables

events

False Positives

Automated patch management systems such as WSUS or SCCM that invoke robocopy or xcopy to distribute executable update packages to ProgramData or System32 directories during scheduled maintenance windows
Custom application deployment scripts run by cmd.exe or PowerShell that legitimately copy EXE or DLL files to standard installation directories as part of approved software packaging pipelines
Backup and recovery agents that spawn shell processes to move or rename executable files during restoration workflows, satisfying the process image, extension, and suspicious path conditions simultaneously

Sumo Logic CSE

sql

_sourceCategory=*sysmon* (EventCode=1 OR EventCode=11)
| parse xml field=_raw "/Event/System/EventID" as EventCode
| parse xml field=_raw "/Event/EventData/Data[@Name='Image']" as Image nodrop
| parse xml field=_raw "/Event/EventData/Data[@Name='CommandLine']" as CommandLine nodrop
| parse xml field=_raw "/Event/EventData/Data[@Name='TargetFilename']" as TargetFilename nodrop
| parse xml field=_raw "/Event/EventData/Data[@Name='ParentImage']" as ParentImage nodrop
| parse xml field=_raw "/Event/EventData/Data[@Name='ParentCommandLine']" as ParentCommandLine nodrop
| parse xml field=_raw "/Event/EventData/Data[@Name='User']" as User nodrop
| parse xml field=_raw "/Event/EventData/Data[@Name='Hashes']" as Hashes nodrop
| eval CommandOrTarget = if (isNull(CommandLine) or CommandLine="", TargetFilename, CommandLine)
| eval IsCopyProcess = if (
    EventCode="1" and matches(toLowerCase(CommandLine), ".*(\scopy\s|xcopy|robocopy|copy-item|move-item|\smove\s|rename-item).*"),
    1, 0)
| eval HasExeExtension = if (
    matches(toLowerCase(CommandOrTarget), ".*\.(exe|dll|bat|ps1|vbs|hta|cmd|scr|cpl|pif).*"),
    1, 0)
| eval TargetsSuspiciousPath = if (
    matches(toLowerCase(CommandOrTarget), ".*(appdata.roaming|appdata.local.temp|programdata|windows.temp|users.public|windows.system32|windows.syswow64|recycle).*"),
    1, 0)
| eval FileDropByLolBin = if (
    EventCode="11" and matches(toLowerCase(Image), ".*(cmd|powershell|pwsh|xcopy|robocopy|wscript|cscript|mshta)\.exe.*"),
    1, 0)
| eval SuspicionScore = IsCopyProcess + HasExeExtension + TargetsSuspiciousPath + FileDropByLolBin
| where SuspicionScore >= 2
| fields _messageTime, _sourceHost, User, EventCode, Image, CommandLine, TargetFilename, ParentImage, ParentCommandLine, Hashes, SuspicionScore
| sort by -SuspicionScore, -_messageTime

high severity medium confidence

Data Sources

Sumo Logic with Windows Event Collector forwarding Sysmon Operational log Sumo Logic Installed Collector on Windows endpoints with Sysmon source

Required Tables

Sysmon Operational log events routed to _sourceCategory=*sysmon*

False Positives

Enterprise software distribution tools such as Chocolatey, PDQ Deploy, or Ninite that invoke PowerShell or cmd.exe to copy installer executables into ProgramData or Temp directories during automated software rollout jobs, easily scoring 3 out of 4 signals
Developer CI/CD pipelines running on Windows build agents that use PowerShell Copy-Item or robocopy to stage compiled binaries in system or roaming profile directories during artifact packaging or test deployment steps
Group Policy Software Installation or logon scripts that copy .bat, .ps1, or .vbs scripts to user AppData directories as part of scheduled workstation profile customisations, triggering both the extension and path signals

Google Chronicle / SecOps

yaral

rule malware_relocation_t1070_010 {
  meta:
    author = "Detection Engineering"
    description = "Detects T1070.010 - Malware relocation via copy/move commands or executable file creation in suspicious directories by shell or LOLBin processes"
    severity = "HIGH"
    confidence = "MEDIUM"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1070.010"
    reference = "https://attack.mitre.org/techniques/T1070/010/"

  events:
    $proc.metadata.event_type = "PROCESS_LAUNCH"
    $proc.target.process.file.full_path = /(?i)\\(cmd|powershell|pwsh|xcopy|robocopy)\.exe$/
    $proc.target.process.command_line = /(?i)(\scopy\s|xcopy\s|robocopy\s|Copy-Item|Move-Item|\smove\s|\bcp\s|\bmv\s|Rename-Item)/
    $proc.target.process.command_line = /(?i)\.(exe|dll|bat|ps1|vbs|js|hta|cmd|scr|cpl|pif)/

    $file.metadata.event_type = "FILE_CREATION"
    $file.target.file.full_path = /(?i)(\\AppData\\Roaming\\|\\AppData\\Local\\Temp\\|\\ProgramData\\|\\Windows\\Temp\\|\\Users\\Public\\|\\Windows\\System32\\|\\Windows\\SysWOW64\\|\\\$Recycle\.Bin)/
    $file.target.file.full_path = /(?i)\.(exe|dll|bat|ps1|vbs|js|hta|cmd|scr|cpl|pif)$/
    $file.principal.process.file.full_path = /(?i)\\(cmd|powershell|pwsh|xcopy|robocopy|explorer|wscript|cscript|mshta)\.exe$/

  condition:
    $proc or $file
}

high severity medium confidence

Data Sources

Google Chronicle SIEM with UDM normalization Chronicle forwarder ingesting Windows Sysmon or EDR telemetry Google Cloud Chronicle via Windows Event Log connector

Required Tables

PROCESS_LAUNCH UDM events FILE_CREATION UDM events

False Positives

Legitimate administrative use of PowerShell Copy-Item or robocopy targeting System32 or ProgramData during sanctioned deployment workflows, common in enterprise patching pipelines where the process image, command verb, and destination path all match detection conditions
Windows Installer (msiexec.exe) spawning cmd.exe child processes that copy DLL or EXE payloads to System32 or SysWOW64 during in-progress MSI installations, where Chronicle may attribute the FILE_CREATION event to the cmd.exe intermediary
Remote management and helpdesk tooling such as PDQ Deploy or Ansible over WinRM that drop PowerShell scripts or executables into AppData\Roaming or Users\Public for subsequent execution during sanctioned remote support sessions

Last updated: 2026-04-13 Research depth: deep

References (9)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1070.010 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Relocate Malware

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections