T1070.010 Elastic Security · Elastic

Detect Relocate Malware in Elastic Security

Once a payload is delivered, adversaries may reproduce copies of the same malware on the victim system to remove evidence of their presence and/or avoid defenses. Copying malware payloads to new locations may be combined with file deletion to clean up older artifacts. Adversaries may rename payloads to blend into the local environment, target file/path exclusions (such as AV exclusion directories), or position payloads in persistence-related directories. Moving payloads does not alter the Creation timestamp, evading detection logic reliant on file creation time modifications.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1070 Indicator Removal
Sub-technique
T1070.010 Relocate Malware
Canonical reference
https://attack.mitre.org/techniques/T1070/010/

Elastic Detection Query

Elastic Security (Elastic)
eql 
any where
  (
    event.category == "process" and
    host.os.type == "windows" and
    process.name in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "xcopy.exe", "robocopy.exe") and
    (
      process.command_line like~ "* copy *" or
      process.command_line like~ "*xcopy *" or
      process.command_line like~ "*robocopy *" or
      process.command_line like~ "*Copy-Item*" or
      process.command_line like~ "*Move-Item*" or
      process.command_line like~ "* move *" or
      process.command_line like~ "*Rename-Item*"
    ) and
    (
      process.command_line like~ "*.exe*" or
      process.command_line like~ "*.dll*" or
      process.command_line like~ "*.bat*" or
      process.command_line like~ "*.ps1*" or
      process.command_line like~ "*.vbs*" or
      process.command_line like~ "*.hta*" or
      process.command_line like~ "*.cmd*" or
      process.command_line like~ "*.scr*" or
      process.command_line like~ "*.pif*"
    )
  ) or
  (
    event.category == "file" and
    host.os.type == "windows" and
    event.action in~ ("creation", "rename") and
    (
      file.path like~ "*\\AppData\\Roaming\\*" or
      file.path like~ "*\\AppData\\Local\\Temp\\*" or
      file.path like~ "*\\ProgramData\\*" or
      file.path like~ "*\\Windows\\Temp\\*" or
      file.path like~ "*\\Users\\Public\\*" or
      file.path like~ "*\\Windows\\System32\\*" or
      file.path like~ "*\\Windows\\SysWOW64\\*" or
      file.path like~ "*\\Recycle*"
    ) and
    file.extension in~ ("exe", "dll", "bat", "ps1", "vbs", "js", "hta", "cmd", "scr", "cpl", "pif") and
    process.name in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "xcopy.exe", "robocopy.exe", "explorer.exe", "wscript.exe", "cscript.exe", "mshta.exe")
  )
high severity medium confidence

Detects T1070.010 malware relocation using two complementary branches: (1) process events where cmd.exe, PowerShell, xcopy, or robocopy issues a copy, move, or rename command referencing an executable file extension; (2) file creation or rename events in commonly abused staging directories initiated by LOLBin processes. Covers Elastic Endpoint process and file telemetry as well as Winlogbeat-forwarded Sysmon EventID 1 and EventID 11.

Data Sources

Elastic Endpoint Security agentWinlogbeat with Sysmon for WindowsElastic Agent endpoint integration

Required Tables

logs-endpoint.events.process-*logs-endpoint.events.file-*winlogbeat-*

False Positives & Tuning

  • IT administrators using robocopy or xcopy to deploy or migrate software packages to ProgramData or System32 during sanctioned maintenance windows, which will satisfy both the copy-command and suspicious-path conditions simultaneously
  • Software installers (MSI, NSIS, Inno Setup) that invoke cmd.exe or PowerShell child processes to stage executable files in AppData or ProgramData as part of legitimate application installation workflows
  • Endpoint Detection and Response or antivirus products that move quarantined payloads to Temp or Recycle directories, generating file creation events attributed to their own process name which may itself match the LOLBin allowlist
Download portable Sigma rule (.yml)

Other platforms for T1070.010

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Copy Executable to AppData Temp Directory Using cmd.exe

    Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, CommandLine containing 'copy C:\Windows\System32\calc.exe' and 'svchost32.exe'. Sysmon Event ID 11: File Create with TargetFilename=%APPDATA%\Local\Temp\svchost32.exe, Image=cmd.exe. DeviceFileEvents: ActionType=FileCreated, FileName=svchost32.exe, FolderPath contains AppData\Local\Temp.

  2. Test 2Relocate Payload Using PowerShell Copy-Item to ProgramData

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Copy-Item' and 'ProgramData'. Sysmon Event ID 11: File Create with TargetFilename=C:\ProgramData\WindowsUpdate\wuauclt_helper.exe, Image=powershell.exe. DeviceProcessEvents: ProcessCommandLine has 'Copy-Item' and '.exe'. DeviceFileEvents: ActionType=FileCreated in ProgramData path.

  3. Test 3Move and Delete Original Payload Simulating Evidence Cleanup

    Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with full copy-and-delete command line. Sysmon Event ID 11: File Create for %TEMP%\dropped_invoice.exe and %APPDATA%\Microsoft\Windows\helper_svc.exe. Sysmon Event ID 23: File Delete for %TEMP%\dropped_invoice.exe. DeviceFileEvents: ActionType=FileCreated (helper_svc.exe in AppData\Microsoft\Windows) and ActionType=FileDeleted (dropped_invoice.exe in Temp).

  4. Test 4Rename and Relocate Payload Using xcopy to Windows Temp

    Expected signal: Sysmon Event ID 1: Process Create with Image=xcopy.exe, CommandLine containing 'calc.exe' and 'C:\Windows\Temp\msupdate_kb.exe'. Sysmon Event ID 11: File Create with TargetFilename=C:\Windows\Temp\msupdate_kb.exe, Image=xcopy.exe. DeviceProcessEvents: FileName=xcopy.exe, ProcessCommandLine has .exe extension and Windows\Temp path.

Last updated: 2026-04-13 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1070.010 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1070Indicator Removal

Related Sub-techniques

T1070.001Clear Windows Event LogsT1070.002Clear Linux or Mac System LogsT1070.003Clear Command HistoryT1070.004File DeletionT1070.005Network Share Connection RemovalT1070.006TimestompT1070.007Clear Network Connection History and ConfigurationsT1070.008Clear Mailbox DataT1070.009Clear Persistence

Related Techniques

T1070Indicator RemovalT1070.004File DeletionT1070.006TimestompT1036.005Match Legitimate Resource Name or LocationT1564.012File/Path ExclusionsT1105Ingress Tool TransferT1204User ExecutionT1566PhishingT1053.005Scheduled TaskT1547.001Registry Run Keys / Startup Folder

Same Tactic: Defense Evasion

Popular Detections