Detect Relocate Malware in CrowdStrike LogScale
Once a payload is delivered, adversaries may reproduce copies of the same malware on the victim system to remove evidence of their presence and/or avoid defenses. Copying malware payloads to new locations may be combined with file deletion to clean up older artifacts. Adversaries may rename payloads to blend into the local environment, target file/path exclusions (such as AV exclusion directories), or position payloads in persistence-related directories. Moving payloads does not alter the Creation timestamp, evading detection logic reliant on file creation time modifications.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1070 Indicator Removal
- Sub-technique
- T1070.010 Relocate Malware
- Canonical reference
- https://attack.mitre.org/techniques/T1070/010/
LogScale Detection Query
// T1070.010 - Malware Relocation: executable copy/move via shell or scripting processes
#event_simpleName = /^(ProcessRollup2|SyntheticProcessRollup2)$/
| ImageFileName = /(?i)\\(cmd|powershell|pwsh|xcopy|robocopy)\.exe$/
| CommandLine = /(?i)(\scopy\s|xcopy\s|robocopy\s|Copy-Item|Move-Item|\smove\s|\bcp\s|\bmv\s|Rename-Item)/
| CommandLine = /(?i)\.(exe|dll|bat|ps1|vbs|hta|cmd|scr|cpl|pif)/
| SuspiciousTarget := CommandLine = /(?i)(\\AppData\\Roaming|\\AppData\\Local\\Temp|\\ProgramData|\\Windows\\Temp|\\Users\\Public|\\Windows\\System32|\\Windows\\SysWOW64|\\Recycle\.Bin)/
| groupBy(
[ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, SuspiciousTarget],
function=[
count(as=EventCount),
min(@timestamp, as=FirstSeen),
max(@timestamp, as=LastSeen)
]
)
| sort(EventCount, order=desc)CrowdStrike LogScale (Falcon Data Replicator) query over ProcessRollup2 and SyntheticProcessRollup2 events detecting cmd.exe, PowerShell, xcopy, or robocopy processes executing copy, move, or rename operations on executable file types. A derived boolean field SuspiciousTarget flags events where the command line references a known adversary staging path. Results are aggregated by host, user, command line, and parent process to surface repeated relocation patterns and identify campaign-scale activity across the fleet.
Data Sources
Required Tables
False Positives & Tuning
- CrowdStrike Falcon sensor update workflows or Prevention Policy enforcement actions that internally invoke shell processes to copy or stage executable components under ProgramData paths, generating ProcessRollup2 events that match all filter conditions
- Enterprise endpoint management agents such as BigFix, Tanium, or Ivanti that spawn cmd.exe or PowerShell sub-processes to copy update packages (EXE, DLL) into staging directories during automated patch cycles, consistently matching process image, command verb, and extension filters
- Developer workstations running build automation toolchains (MSBuild, CMake, Gradle native tasks) that invoke robocopy or PowerShell Copy-Item to deploy compiled native binaries to local test directories including AppData or Windows Temp paths
Other platforms for T1070.010
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Copy Executable to AppData Temp Directory Using cmd.exe
Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, CommandLine containing 'copy C:\Windows\System32\calc.exe' and 'svchost32.exe'. Sysmon Event ID 11: File Create with TargetFilename=%APPDATA%\Local\Temp\svchost32.exe, Image=cmd.exe. DeviceFileEvents: ActionType=FileCreated, FileName=svchost32.exe, FolderPath contains AppData\Local\Temp.
- Test 2Relocate Payload Using PowerShell Copy-Item to ProgramData
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Copy-Item' and 'ProgramData'. Sysmon Event ID 11: File Create with TargetFilename=C:\ProgramData\WindowsUpdate\wuauclt_helper.exe, Image=powershell.exe. DeviceProcessEvents: ProcessCommandLine has 'Copy-Item' and '.exe'. DeviceFileEvents: ActionType=FileCreated in ProgramData path.
- Test 3Move and Delete Original Payload Simulating Evidence Cleanup
Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with full copy-and-delete command line. Sysmon Event ID 11: File Create for %TEMP%\dropped_invoice.exe and %APPDATA%\Microsoft\Windows\helper_svc.exe. Sysmon Event ID 23: File Delete for %TEMP%\dropped_invoice.exe. DeviceFileEvents: ActionType=FileCreated (helper_svc.exe in AppData\Microsoft\Windows) and ActionType=FileDeleted (dropped_invoice.exe in Temp).
- Test 4Rename and Relocate Payload Using xcopy to Windows Temp
Expected signal: Sysmon Event ID 1: Process Create with Image=xcopy.exe, CommandLine containing 'calc.exe' and 'C:\Windows\Temp\msupdate_kb.exe'. Sysmon Event ID 11: File Create with TargetFilename=C:\Windows\Temp\msupdate_kb.exe, Image=xcopy.exe. DeviceProcessEvents: FileName=xcopy.exe, ProcessCommandLine has .exe extension and Windows\Temp path.
References (9)
- https://attack.mitre.org/techniques/T1070/010/
- https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/
- https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.010/T1070.010.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file
- https://www.sans.org/white-papers/39870/
Unlock Pro Content
Get the full detection package for T1070.010 including response playbook, investigation guide, and atomic red team tests.