Detect Relocate Malware in Splunk
Once a payload is delivered, adversaries may reproduce copies of the same malware on the victim system to remove evidence of their presence and/or avoid defenses. Copying malware payloads to new locations may be combined with file deletion to clean up older artifacts. Adversaries may rename payloads to blend into the local environment, target file/path exclusions (such as AV exclusion directories), or position payloads in persistence-related directories. Moving payloads does not alter the Creation timestamp, evading detection logic reliant on file creation time modifications.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1070 Indicator Removal
- Sub-technique
- T1070.010 Relocate Malware
- Canonical reference
- https://attack.mitre.org/techniques/T1070/010/
SPL Detection Query
index=wineventlog (
(sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
OR
(sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11)
)
| eval EventType=case(
EventCode=1, "ProcessCreate",
EventCode=11, "FileCreate",
true(), "Unknown"
)
| eval CommandOrTarget=coalesce(CommandLine, TargetFilename)
| eval IsExecutable=if(match(CommandOrTarget, "(?i)\.(exe|dll|bat|ps1|vbs|js|hta|cmd|scr|cpl|pif)("|$|\s)"), 1, 0)
| eval SuspiciousPath=if(match(CommandOrTarget, "(?i)(\\appdata\\roaming|\\appdata\\local\\temp|\\programdata|\\windows\\temp|\\users\\public|\\windows\\system32|\\windows\\syswow64|\$recycle\.bin|recycle)"), 1, 0)
| eval CopyAction=if(
EventCode=1 AND match(lower(CommandLine), "(\scopy\s|xcopy|robocopy|copy-item|move-item|\smove\s|\bcp\s|\bmv\s|\bren\s|rename-item)"),
1, 0
)
| eval FileDropped=if(EventCode=11 AND (match(Image, "(?i)(cmd|powershell|pwsh|xcopy|robocopy|wscript|cscript|mshta)\.exe")), 1, 0)
| eval SuspicionScore=IsExecutable + SuspiciousPath + CopyAction + FileDropped
| where SuspicionScore >= 2
| eval ParentOrInitiator=coalesce(ParentImage, Image)
| table _time, host, User, EventType, Image, CommandOrTarget, ParentImage, ParentCommandLine, IsExecutable, SuspiciousPath, CopyAction, FileDropped, SuspicionScore
| sort - SuspicionScore, - _timeDetects malware relocation using Sysmon Event ID 1 (Process Create) and Event ID 11 (File Create). Evaluates whether executable file types are being copied or moved to suspicious directories by script interpreters or command shells. Assigns a suspicion score based on multiple indicators: executable file type, suspicious destination path, copy/move command presence, and file drop by a known interpreter. Events with a score of 2 or higher are surfaced as alerts.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Software installers and update mechanisms that copy executables to Program Files or Windows directories
- IT administrators using robocopy or xcopy for legitimate software deployment and patch management
- Antivirus or EDR quarantine operations that move suspicious files to quarantine directories
- Legitimate application self-update routines that copy new versions to AppData or Temp before replacing the original
- Backup software copying executable files as part of scheduled backup operations
Other platforms for T1070.010
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Copy Executable to AppData Temp Directory Using cmd.exe
Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, CommandLine containing 'copy C:\Windows\System32\calc.exe' and 'svchost32.exe'. Sysmon Event ID 11: File Create with TargetFilename=%APPDATA%\Local\Temp\svchost32.exe, Image=cmd.exe. DeviceFileEvents: ActionType=FileCreated, FileName=svchost32.exe, FolderPath contains AppData\Local\Temp.
- Test 2Relocate Payload Using PowerShell Copy-Item to ProgramData
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Copy-Item' and 'ProgramData'. Sysmon Event ID 11: File Create with TargetFilename=C:\ProgramData\WindowsUpdate\wuauclt_helper.exe, Image=powershell.exe. DeviceProcessEvents: ProcessCommandLine has 'Copy-Item' and '.exe'. DeviceFileEvents: ActionType=FileCreated in ProgramData path.
- Test 3Move and Delete Original Payload Simulating Evidence Cleanup
Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with full copy-and-delete command line. Sysmon Event ID 11: File Create for %TEMP%\dropped_invoice.exe and %APPDATA%\Microsoft\Windows\helper_svc.exe. Sysmon Event ID 23: File Delete for %TEMP%\dropped_invoice.exe. DeviceFileEvents: ActionType=FileCreated (helper_svc.exe in AppData\Microsoft\Windows) and ActionType=FileDeleted (dropped_invoice.exe in Temp).
- Test 4Rename and Relocate Payload Using xcopy to Windows Temp
Expected signal: Sysmon Event ID 1: Process Create with Image=xcopy.exe, CommandLine containing 'calc.exe' and 'C:\Windows\Temp\msupdate_kb.exe'. Sysmon Event ID 11: File Create with TargetFilename=C:\Windows\Temp\msupdate_kb.exe, Image=xcopy.exe. DeviceProcessEvents: FileName=xcopy.exe, ProcessCommandLine has .exe extension and Windows\Temp path.
References (9)
- https://attack.mitre.org/techniques/T1070/010/
- https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/
- https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.010/T1070.010.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file
- https://www.sans.org/white-papers/39870/
Unlock Pro Content
Get the full detection package for T1070.010 including response playbook, investigation guide, and atomic red team tests.