T1070.010 IBM QRadar · QRadar

Detect Relocate Malware in IBM QRadar

Once a payload is delivered, adversaries may reproduce copies of the same malware on the victim system to remove evidence of their presence and/or avoid defenses. Copying malware payloads to new locations may be combined with file deletion to clean up older artifacts. Adversaries may rename payloads to blend into the local environment, target file/path exclusions (such as AV exclusion directories), or position payloads in persistence-related directories. Moving payloads does not alter the Creation timestamp, evading detection logic reliant on file creation time modifications.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1070 Indicator Removal
Sub-technique
T1070.010 Relocate Malware
Canonical reference
https://attack.mitre.org/techniques/T1070/010/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip AS source_ip,
  username,
  QIDNAME(qid) AS event_name,
  "EventID" AS sysmon_event_id,
  "Image" AS process_image,
  "CommandLine" AS command_line,
  "TargetFilename" AS target_filename,
  "ParentImage" AS parent_image,
  "ParentCommandLine" AS parent_command_line
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) ILIKE '%Sysmon%'
  AND starttime > NOW() - 86400000
  AND (
    (
      "EventID" = '1'
      AND (
        LOWER("CommandLine") LIKE '% copy %' OR
        LOWER("CommandLine") LIKE '%xcopy%' OR
        LOWER("CommandLine") LIKE '%robocopy%' OR
        LOWER("CommandLine") LIKE '%copy-item%' OR
        LOWER("CommandLine") LIKE '%move-item%' OR
        LOWER("CommandLine") LIKE '% move %' OR
        LOWER("CommandLine") LIKE '%rename-item%'
      )
      AND (
        LOWER("CommandLine") LIKE '%.exe%' OR
        LOWER("CommandLine") LIKE '%.dll%' OR
        LOWER("CommandLine") LIKE '%.bat%' OR
        LOWER("CommandLine") LIKE '%.ps1%' OR
        LOWER("CommandLine") LIKE '%.vbs%' OR
        LOWER("CommandLine") LIKE '%.hta%' OR
        LOWER("CommandLine") LIKE '%.cmd%' OR
        LOWER("CommandLine") LIKE '%.scr%' OR
        LOWER("CommandLine") LIKE '%.pif%'
      )
    )
    OR (
      "EventID" = '11'
      AND (
        LOWER("TargetFilename") LIKE '%\\appdata\\roaming\\%' OR
        LOWER("TargetFilename") LIKE '%\\appdata\\local\\temp\\%' OR
        LOWER("TargetFilename") LIKE '%\\programdata\\%' OR
        LOWER("TargetFilename") LIKE '%\\windows\\temp\\%' OR
        LOWER("TargetFilename") LIKE '%\\users\\public\\%' OR
        LOWER("TargetFilename") LIKE '%\\windows\\system32\\%' OR
        LOWER("TargetFilename") LIKE '%\\windows\\syswow64\\%' OR
        LOWER("TargetFilename") LIKE '%recycle%'
      )
      AND (
        LOWER("TargetFilename") LIKE '%.exe' OR
        LOWER("TargetFilename") LIKE '%.dll' OR
        LOWER("TargetFilename") LIKE '%.bat' OR
        LOWER("TargetFilename") LIKE '%.ps1' OR
        LOWER("TargetFilename") LIKE '%.vbs' OR
        LOWER("TargetFilename") LIKE '%.hta' OR
        LOWER("TargetFilename") LIKE '%.cmd' OR
        LOWER("TargetFilename") LIKE '%.scr' OR
        LOWER("TargetFilename") LIKE '%.pif'
      )
      AND (
        LOWER("Image") LIKE '%cmd.exe' OR
        LOWER("Image") LIKE '%powershell.exe' OR
        LOWER("Image") LIKE '%pwsh.exe' OR
        LOWER("Image") LIKE '%xcopy.exe' OR
        LOWER("Image") LIKE '%robocopy.exe' OR
        LOWER("Image") LIKE '%wscript.exe' OR
        LOWER("Image") LIKE '%cscript.exe' OR
        LOWER("Image") LIKE '%mshta.exe'
      )
    )
  )
ORDER BY starttime DESC
high severity medium confidence

QRadar AQL query targeting Sysmon EventID 1 (Process Create) and EventID 11 (File Create) log source events parsed via the Microsoft Sysmon DSM. Branch one detects shell processes issuing copy or move commands referencing executable extensions. Branch two detects executable file drops in suspicious staging directories by known LOLBin initiating processes. Fields Image, CommandLine, TargetFilename, and ParentImage are populated by the Sysmon DSM custom property extraction.

Data Sources

IBM QRadar SIEM with Microsoft Sysmon DSMWindows Event Log source forwarding Sysmon Operational channel

Required Tables

events

False Positives & Tuning

  • Automated patch management systems such as WSUS or SCCM that invoke robocopy or xcopy to distribute executable update packages to ProgramData or System32 directories during scheduled maintenance windows
  • Custom application deployment scripts run by cmd.exe or PowerShell that legitimately copy EXE or DLL files to standard installation directories as part of approved software packaging pipelines
  • Backup and recovery agents that spawn shell processes to move or rename executable files during restoration workflows, satisfying the process image, extension, and suspicious path conditions simultaneously
Download portable Sigma rule (.yml)

Other platforms for T1070.010

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Copy Executable to AppData Temp Directory Using cmd.exe

    Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, CommandLine containing 'copy C:\Windows\System32\calc.exe' and 'svchost32.exe'. Sysmon Event ID 11: File Create with TargetFilename=%APPDATA%\Local\Temp\svchost32.exe, Image=cmd.exe. DeviceFileEvents: ActionType=FileCreated, FileName=svchost32.exe, FolderPath contains AppData\Local\Temp.

  2. Test 2Relocate Payload Using PowerShell Copy-Item to ProgramData

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Copy-Item' and 'ProgramData'. Sysmon Event ID 11: File Create with TargetFilename=C:\ProgramData\WindowsUpdate\wuauclt_helper.exe, Image=powershell.exe. DeviceProcessEvents: ProcessCommandLine has 'Copy-Item' and '.exe'. DeviceFileEvents: ActionType=FileCreated in ProgramData path.

  3. Test 3Move and Delete Original Payload Simulating Evidence Cleanup

    Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with full copy-and-delete command line. Sysmon Event ID 11: File Create for %TEMP%\dropped_invoice.exe and %APPDATA%\Microsoft\Windows\helper_svc.exe. Sysmon Event ID 23: File Delete for %TEMP%\dropped_invoice.exe. DeviceFileEvents: ActionType=FileCreated (helper_svc.exe in AppData\Microsoft\Windows) and ActionType=FileDeleted (dropped_invoice.exe in Temp).

  4. Test 4Rename and Relocate Payload Using xcopy to Windows Temp

    Expected signal: Sysmon Event ID 1: Process Create with Image=xcopy.exe, CommandLine containing 'calc.exe' and 'C:\Windows\Temp\msupdate_kb.exe'. Sysmon Event ID 11: File Create with TargetFilename=C:\Windows\Temp\msupdate_kb.exe, Image=xcopy.exe. DeviceProcessEvents: FileName=xcopy.exe, ProcessCommandLine has .exe extension and Windows\Temp path.

Last updated: 2026-04-13 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1070.010 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1070Indicator Removal

Related Sub-techniques

T1070.001Clear Windows Event LogsT1070.002Clear Linux or Mac System LogsT1070.003Clear Command HistoryT1070.004File DeletionT1070.005Network Share Connection RemovalT1070.006TimestompT1070.007Clear Network Connection History and ConfigurationsT1070.008Clear Mailbox DataT1070.009Clear Persistence

Related Techniques

T1070Indicator RemovalT1070.004File DeletionT1070.006TimestompT1036.005Match Legitimate Resource Name or LocationT1564.012File/Path ExclusionsT1105Ingress Tool TransferT1204User ExecutionT1566PhishingT1053.005Scheduled TaskT1547.001Registry Run Keys / Startup Folder

Same Tactic: Defense Evasion

Popular Detections