title: Relocate Malware (T1070.010)
id: df00tech-t1070-010
status: experimental
description: "Once a payload is delivered, adversaries may reproduce copies of the same malware on the victim system to remove evidence of their presence and/or avoid defenses. Copying malware payloads to new locations may be combined with file deletion to clean up older artifacts. Adversaries may rename payloads to blend into the local environment, target file/path exclusions (such as AV exclusion directories), or position payloads in persistence-related directories. Moving payloads does not alter the Creation timestamp, evading detection logic reliant on file creation time modifications."
references:
  - https://attack.mitre.org/techniques/T1070/010/
  - https://df00tech.com/detections/T1070.010
author: df00tech
date: 2026/04/13
tags:
  - attack.t1070.010
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Software installers and update mechanisms that copy executables to Program Files or Windows directories
  - IT administrators using robocopy or xcopy for legitimate software deployment and patch management
  - Antivirus or EDR quarantine operations that move suspicious files to quarantine directories
  - Legitimate application self-update routines that copy new versions to AppData or Temp before replacing the original
  - Backup software copying executable files as part of scheduled backup operations
level: medium