T1070.010 Google Chronicle · YARA-L

Detect Relocate Malware in Google Chronicle

Once a payload is delivered, adversaries may reproduce copies of the same malware on the victim system to remove evidence of their presence and/or avoid defenses. Copying malware payloads to new locations may be combined with file deletion to clean up older artifacts. Adversaries may rename payloads to blend into the local environment, target file/path exclusions (such as AV exclusion directories), or position payloads in persistence-related directories. Moving payloads does not alter the Creation timestamp, evading detection logic reliant on file creation time modifications.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1070 Indicator Removal
Sub-technique
T1070.010 Relocate Malware
Canonical reference
https://attack.mitre.org/techniques/T1070/010/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule malware_relocation_t1070_010 {
  meta:
    author = "Detection Engineering"
    description = "Detects T1070.010 - Malware relocation via copy/move commands or executable file creation in suspicious directories by shell or LOLBin processes"
    severity = "HIGH"
    confidence = "MEDIUM"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1070.010"
    reference = "https://attack.mitre.org/techniques/T1070/010/"

  events:
    $proc.metadata.event_type = "PROCESS_LAUNCH"
    $proc.target.process.file.full_path = /(?i)\\(cmd|powershell|pwsh|xcopy|robocopy)\.exe$/
    $proc.target.process.command_line = /(?i)(\scopy\s|xcopy\s|robocopy\s|Copy-Item|Move-Item|\smove\s|\bcp\s|\bmv\s|Rename-Item)/
    $proc.target.process.command_line = /(?i)\.(exe|dll|bat|ps1|vbs|js|hta|cmd|scr|cpl|pif)/

    $file.metadata.event_type = "FILE_CREATION"
    $file.target.file.full_path = /(?i)(\\AppData\\Roaming\\|\\AppData\\Local\\Temp\\|\\ProgramData\\|\\Windows\\Temp\\|\\Users\\Public\\|\\Windows\\System32\\|\\Windows\\SysWOW64\\|\\\$Recycle\.Bin)/
    $file.target.file.full_path = /(?i)\.(exe|dll|bat|ps1|vbs|js|hta|cmd|scr|cpl|pif)$/
    $file.principal.process.file.full_path = /(?i)\\(cmd|powershell|pwsh|xcopy|robocopy|explorer|wscript|cscript|mshta)\.exe$/

  condition:
    $proc or $file
}
high severity medium confidence

Chronicle YARA-L 2.0 rule with two independent detection branches unified by an OR condition. Branch $proc fires on PROCESS_LAUNCH events where cmd.exe, PowerShell, xcopy, or robocopy issues a copy, move, or rename command referencing an executable file extension. Branch $file fires on FILE_CREATION events where an executable is written to a known adversary staging directory by a LOLBin process. Either branch independently satisfies the rule condition, providing coverage whether only process or only file telemetry is available.

Data Sources

Google Chronicle SIEM with UDM normalizationChronicle forwarder ingesting Windows Sysmon or EDR telemetryGoogle Cloud Chronicle via Windows Event Log connector

Required Tables

PROCESS_LAUNCH UDM eventsFILE_CREATION UDM events

False Positives & Tuning

  • Legitimate administrative use of PowerShell Copy-Item or robocopy targeting System32 or ProgramData during sanctioned deployment workflows, common in enterprise patching pipelines where the process image, command verb, and destination path all match detection conditions
  • Windows Installer (msiexec.exe) spawning cmd.exe child processes that copy DLL or EXE payloads to System32 or SysWOW64 during in-progress MSI installations, where Chronicle may attribute the FILE_CREATION event to the cmd.exe intermediary
  • Remote management and helpdesk tooling such as PDQ Deploy or Ansible over WinRM that drop PowerShell scripts or executables into AppData\Roaming or Users\Public for subsequent execution during sanctioned remote support sessions
Download portable Sigma rule (.yml)

Other platforms for T1070.010

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Copy Executable to AppData Temp Directory Using cmd.exe

    Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, CommandLine containing 'copy C:\Windows\System32\calc.exe' and 'svchost32.exe'. Sysmon Event ID 11: File Create with TargetFilename=%APPDATA%\Local\Temp\svchost32.exe, Image=cmd.exe. DeviceFileEvents: ActionType=FileCreated, FileName=svchost32.exe, FolderPath contains AppData\Local\Temp.

  2. Test 2Relocate Payload Using PowerShell Copy-Item to ProgramData

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Copy-Item' and 'ProgramData'. Sysmon Event ID 11: File Create with TargetFilename=C:\ProgramData\WindowsUpdate\wuauclt_helper.exe, Image=powershell.exe. DeviceProcessEvents: ProcessCommandLine has 'Copy-Item' and '.exe'. DeviceFileEvents: ActionType=FileCreated in ProgramData path.

  3. Test 3Move and Delete Original Payload Simulating Evidence Cleanup

    Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with full copy-and-delete command line. Sysmon Event ID 11: File Create for %TEMP%\dropped_invoice.exe and %APPDATA%\Microsoft\Windows\helper_svc.exe. Sysmon Event ID 23: File Delete for %TEMP%\dropped_invoice.exe. DeviceFileEvents: ActionType=FileCreated (helper_svc.exe in AppData\Microsoft\Windows) and ActionType=FileDeleted (dropped_invoice.exe in Temp).

  4. Test 4Rename and Relocate Payload Using xcopy to Windows Temp

    Expected signal: Sysmon Event ID 1: Process Create with Image=xcopy.exe, CommandLine containing 'calc.exe' and 'C:\Windows\Temp\msupdate_kb.exe'. Sysmon Event ID 11: File Create with TargetFilename=C:\Windows\Temp\msupdate_kb.exe, Image=xcopy.exe. DeviceProcessEvents: FileName=xcopy.exe, ProcessCommandLine has .exe extension and Windows\Temp path.

Last updated: 2026-04-13 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1070.010 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1070Indicator Removal

Related Sub-techniques

T1070.001Clear Windows Event LogsT1070.002Clear Linux or Mac System LogsT1070.003Clear Command HistoryT1070.004File DeletionT1070.005Network Share Connection RemovalT1070.006TimestompT1070.007Clear Network Connection History and ConfigurationsT1070.008Clear Mailbox DataT1070.009Clear Persistence

Related Techniques

T1070Indicator RemovalT1070.004File DeletionT1070.006TimestompT1036.005Match Legitimate Resource Name or LocationT1564.012File/Path ExclusionsT1105Ingress Tool TransferT1204User ExecutionT1566PhishingT1053.005Scheduled TaskT1547.001Registry Run Keys / Startup Folder

Same Tactic: Defense Evasion

Popular Detections