T1070.010 Sumo Logic CSE · Sumo

Detect Relocate Malware in Sumo Logic CSE

Once a payload is delivered, adversaries may reproduce copies of the same malware on the victim system to remove evidence of their presence and/or avoid defenses. Copying malware payloads to new locations may be combined with file deletion to clean up older artifacts. Adversaries may rename payloads to blend into the local environment, target file/path exclusions (such as AV exclusion directories), or position payloads in persistence-related directories. Moving payloads does not alter the Creation timestamp, evading detection logic reliant on file creation time modifications.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1070 Indicator Removal
Sub-technique
T1070.010 Relocate Malware
Canonical reference
https://attack.mitre.org/techniques/T1070/010/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=*sysmon* (EventCode=1 OR EventCode=11)
| parse xml field=_raw "/Event/System/EventID" as EventCode
| parse xml field=_raw "/Event/EventData/Data[@Name='Image']" as Image nodrop
| parse xml field=_raw "/Event/EventData/Data[@Name='CommandLine']" as CommandLine nodrop
| parse xml field=_raw "/Event/EventData/Data[@Name='TargetFilename']" as TargetFilename nodrop
| parse xml field=_raw "/Event/EventData/Data[@Name='ParentImage']" as ParentImage nodrop
| parse xml field=_raw "/Event/EventData/Data[@Name='ParentCommandLine']" as ParentCommandLine nodrop
| parse xml field=_raw "/Event/EventData/Data[@Name='User']" as User nodrop
| parse xml field=_raw "/Event/EventData/Data[@Name='Hashes']" as Hashes nodrop
| eval CommandOrTarget = if (isNull(CommandLine) or CommandLine="", TargetFilename, CommandLine)
| eval IsCopyProcess = if (
    EventCode="1" and matches(toLowerCase(CommandLine), ".*(\scopy\s|xcopy|robocopy|copy-item|move-item|\smove\s|rename-item).*"),
    1, 0)
| eval HasExeExtension = if (
    matches(toLowerCase(CommandOrTarget), ".*\.(exe|dll|bat|ps1|vbs|hta|cmd|scr|cpl|pif).*"),
    1, 0)
| eval TargetsSuspiciousPath = if (
    matches(toLowerCase(CommandOrTarget), ".*(appdata.roaming|appdata.local.temp|programdata|windows.temp|users.public|windows.system32|windows.syswow64|recycle).*"),
    1, 0)
| eval FileDropByLolBin = if (
    EventCode="11" and matches(toLowerCase(Image), ".*(cmd|powershell|pwsh|xcopy|robocopy|wscript|cscript|mshta)\.exe.*"),
    1, 0)
| eval SuspicionScore = IsCopyProcess + HasExeExtension + TargetsSuspiciousPath + FileDropByLolBin
| where SuspicionScore >= 2
| fields _messageTime, _sourceHost, User, EventCode, Image, CommandLine, TargetFilename, ParentImage, ParentCommandLine, Hashes, SuspicionScore
| sort by -SuspicionScore, -_messageTime
high severity medium confidence

Sumo Logic search processing Sysmon EventID 1 (Process Create) and EventID 11 (File Create) events forwarded from Windows endpoints. Parses structured XML fields and computes a four-signal suspicion score: copy or move command present, executable file extension referenced, suspicious destination path matched, and file dropped by a known LOLBin process. Events scoring 2 or higher are surfaced, balancing noise reduction with broad T1070.010 coverage. SHA256 hash is extracted where available to support immediate IOC lookups.

Data Sources

Sumo Logic with Windows Event Collector forwarding Sysmon Operational logSumo Logic Installed Collector on Windows endpoints with Sysmon source

Required Tables

Sysmon Operational log events routed to _sourceCategory=*sysmon*

False Positives & Tuning

  • Enterprise software distribution tools such as Chocolatey, PDQ Deploy, or Ninite that invoke PowerShell or cmd.exe to copy installer executables into ProgramData or Temp directories during automated software rollout jobs, easily scoring 3 out of 4 signals
  • Developer CI/CD pipelines running on Windows build agents that use PowerShell Copy-Item or robocopy to stage compiled binaries in system or roaming profile directories during artifact packaging or test deployment steps
  • Group Policy Software Installation or logon scripts that copy .bat, .ps1, or .vbs scripts to user AppData directories as part of scheduled workstation profile customisations, triggering both the extension and path signals
Download portable Sigma rule (.yml)

Other platforms for T1070.010

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Copy Executable to AppData Temp Directory Using cmd.exe

    Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, CommandLine containing 'copy C:\Windows\System32\calc.exe' and 'svchost32.exe'. Sysmon Event ID 11: File Create with TargetFilename=%APPDATA%\Local\Temp\svchost32.exe, Image=cmd.exe. DeviceFileEvents: ActionType=FileCreated, FileName=svchost32.exe, FolderPath contains AppData\Local\Temp.

  2. Test 2Relocate Payload Using PowerShell Copy-Item to ProgramData

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Copy-Item' and 'ProgramData'. Sysmon Event ID 11: File Create with TargetFilename=C:\ProgramData\WindowsUpdate\wuauclt_helper.exe, Image=powershell.exe. DeviceProcessEvents: ProcessCommandLine has 'Copy-Item' and '.exe'. DeviceFileEvents: ActionType=FileCreated in ProgramData path.

  3. Test 3Move and Delete Original Payload Simulating Evidence Cleanup

    Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with full copy-and-delete command line. Sysmon Event ID 11: File Create for %TEMP%\dropped_invoice.exe and %APPDATA%\Microsoft\Windows\helper_svc.exe. Sysmon Event ID 23: File Delete for %TEMP%\dropped_invoice.exe. DeviceFileEvents: ActionType=FileCreated (helper_svc.exe in AppData\Microsoft\Windows) and ActionType=FileDeleted (dropped_invoice.exe in Temp).

  4. Test 4Rename and Relocate Payload Using xcopy to Windows Temp

    Expected signal: Sysmon Event ID 1: Process Create with Image=xcopy.exe, CommandLine containing 'calc.exe' and 'C:\Windows\Temp\msupdate_kb.exe'. Sysmon Event ID 11: File Create with TargetFilename=C:\Windows\Temp\msupdate_kb.exe, Image=xcopy.exe. DeviceProcessEvents: FileName=xcopy.exe, ProcessCommandLine has .exe extension and Windows\Temp path.

Last updated: 2026-04-13 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1070.010 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1070Indicator Removal

Related Sub-techniques

T1070.001Clear Windows Event LogsT1070.002Clear Linux or Mac System LogsT1070.003Clear Command HistoryT1070.004File DeletionT1070.005Network Share Connection RemovalT1070.006TimestompT1070.007Clear Network Connection History and ConfigurationsT1070.008Clear Mailbox DataT1070.009Clear Persistence

Related Techniques

T1070Indicator RemovalT1070.004File DeletionT1070.006TimestompT1036.005Match Legitimate Resource Name or LocationT1564.012File/Path ExclusionsT1105Ingress Tool TransferT1204User ExecutionT1566PhishingT1053.005Scheduled TaskT1547.001Registry Run Keys / Startup Folder

Same Tactic: Defense Evasion

Popular Detections