T1070.010 Microsoft Sentinel · KQL

Detect Relocate Malware in Microsoft Sentinel

Once a payload is delivered, adversaries may reproduce copies of the same malware on the victim system to remove evidence of their presence and/or avoid defenses. Copying malware payloads to new locations may be combined with file deletion to clean up older artifacts. Adversaries may rename payloads to blend into the local environment, target file/path exclusions (such as AV exclusion directories), or position payloads in persistence-related directories. Moving payloads does not alter the Creation timestamp, evading detection logic reliant on file creation time modifications.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1070 Indicator Removal
Sub-technique
T1070.010 Relocate Malware
Canonical reference
https://attack.mitre.org/techniques/T1070/010/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let SuspiciousTargetPaths = dynamic([
  "\\AppData\\Roaming\\",
  "\\AppData\\Local\\Temp\\",
  "\\ProgramData\\",
  "\\Windows\\Temp\\",
  "\\Users\\Public\\",
  "\\Windows\\System32\\",
  "\\Windows\\SysWOW64\\",
  "\\Recycle",
  "\\$Recycle.Bin"
]);
let SuspiciousExtensions = dynamic([
  ".exe", ".dll", ".bat", ".ps1", ".vbs", ".js", ".hta", ".cmd", ".scr", ".cpl", ".pif"
]);
let CopyTools = dynamic([
  "cmd.exe", "powershell.exe", "pwsh.exe", "xcopy.exe", "robocopy.exe", "copy", "cp"
]);
// Detect file copy/move via process command lines
let ProcessCopyEvents = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "xcopy.exe", "robocopy.exe")
| where ProcessCommandLine has_any ("copy ", "xcopy ", "robocopy ", "Copy-Item", "Move-Item", "cp ", "mv ", "move ")
| where ProcessCommandLine has_any (SuspiciousExtensions)
| extend TargetsSuspiciousPath = ProcessCommandLine has_any (SuspiciousTargetPaths)
| extend IsRename = ProcessCommandLine has_any ("ren ", "rename ", "Rename-Item", "mv ")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          TargetsSuspiciousPath, IsRename, FolderPath, ProcessId
| extend EventSource = "ProcessCopy";
// Detect file creation events in suspicious directories for executable types
let FileCopyEvents = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileRenamed")
| where FolderPath has_any (SuspiciousTargetPaths)
| where FileName has_any (SuspiciousExtensions)
| where InitiatingProcessFileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "xcopy.exe", "robocopy.exe", "explorer.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName,
          FileName, FolderPath, ActionType,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessId, SHA256
| extend EventSource = "FileCopy", TargetsSuspiciousPath = true, IsRename = (ActionType == "FileRenamed");
ProcessCopyEvents
| union FileCopyEvents
| sort by Timestamp desc
medium severity medium confidence

Detects malware relocation activity by monitoring both process command lines (cmd, PowerShell, xcopy, robocopy) that copy or move executable files, and file creation/rename events in suspicious directories initiated by known script/command interpreters. Covers copy, move, and rename operations targeting executable extensions in paths commonly used for evasion (Temp, AppData, ProgramData, Recycle Bin, System32). Uses two event sources (DeviceProcessEvents and DeviceFileEvents) unioned for comprehensive coverage.

Data Sources

Process: Process CreationFile: File CreationFile: File ModificationMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEventsDeviceFileEvents

False Positives & Tuning

  • Software installers and update mechanisms that copy executables to Program Files or Windows directories
  • IT administrators using robocopy or xcopy for legitimate software deployment and patch management
  • Antivirus or EDR quarantine operations that move suspicious files to quarantine directories
  • Legitimate application self-update routines that copy new versions to AppData or Temp before replacing the original
  • Backup software copying executable files as part of scheduled backup operations
Download portable Sigma rule (.yml)

Other platforms for T1070.010

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Copy Executable to AppData Temp Directory Using cmd.exe

    Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, CommandLine containing 'copy C:\Windows\System32\calc.exe' and 'svchost32.exe'. Sysmon Event ID 11: File Create with TargetFilename=%APPDATA%\Local\Temp\svchost32.exe, Image=cmd.exe. DeviceFileEvents: ActionType=FileCreated, FileName=svchost32.exe, FolderPath contains AppData\Local\Temp.

  2. Test 2Relocate Payload Using PowerShell Copy-Item to ProgramData

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Copy-Item' and 'ProgramData'. Sysmon Event ID 11: File Create with TargetFilename=C:\ProgramData\WindowsUpdate\wuauclt_helper.exe, Image=powershell.exe. DeviceProcessEvents: ProcessCommandLine has 'Copy-Item' and '.exe'. DeviceFileEvents: ActionType=FileCreated in ProgramData path.

  3. Test 3Move and Delete Original Payload Simulating Evidence Cleanup

    Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with full copy-and-delete command line. Sysmon Event ID 11: File Create for %TEMP%\dropped_invoice.exe and %APPDATA%\Microsoft\Windows\helper_svc.exe. Sysmon Event ID 23: File Delete for %TEMP%\dropped_invoice.exe. DeviceFileEvents: ActionType=FileCreated (helper_svc.exe in AppData\Microsoft\Windows) and ActionType=FileDeleted (dropped_invoice.exe in Temp).

  4. Test 4Rename and Relocate Payload Using xcopy to Windows Temp

    Expected signal: Sysmon Event ID 1: Process Create with Image=xcopy.exe, CommandLine containing 'calc.exe' and 'C:\Windows\Temp\msupdate_kb.exe'. Sysmon Event ID 11: File Create with TargetFilename=C:\Windows\Temp\msupdate_kb.exe, Image=xcopy.exe. DeviceProcessEvents: FileName=xcopy.exe, ProcessCommandLine has .exe extension and Windows\Temp path.

Last updated: 2026-04-13 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1070.010 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1070Indicator Removal

Related Sub-techniques

T1070.001Clear Windows Event LogsT1070.002Clear Linux or Mac System LogsT1070.003Clear Command HistoryT1070.004File DeletionT1070.005Network Share Connection RemovalT1070.006TimestompT1070.007Clear Network Connection History and ConfigurationsT1070.008Clear Mailbox DataT1070.009Clear Persistence

Related Techniques

T1070Indicator RemovalT1070.004File DeletionT1070.006TimestompT1036.005Match Legitimate Resource Name or LocationT1564.012File/Path ExclusionsT1105Ingress Tool TransferT1204User ExecutionT1566PhishingT1053.005Scheduled TaskT1547.001Registry Run Keys / Startup Folder

Same Tactic: Defense Evasion

Popular Detections