1. Home
  2. Detection Strategies
  3. Detection of Malware Relocation via Suspicious File Movement

Detection of Malware Relocation via Suspicious File Movement

Technique Detected:  Relocate Malware | T1070.010

ID: DET0439
Domains: Enterprise
Analytics: AN1216, AN1217, AN1218, AN1219
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN1216

Detects the relocation of malicious executables via copy/move actions across suspicious folders (e.g., from Downloads to System32), followed by deletion of the original source or renaming to blend into legitimate binaries.

Log Sources
Data Component Name Channel
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
File Deletion (DC0040) WinEventLog:Sysmon EventCode=23
Mutable Elements
Field Description
SuspiciousTargetPathRegex Patterns like \Windows\*, \System32\*, or temp+execution directories
TimeWindow Correlate copy+rename+delete chains within 5-minute window
FileExtensionFilter Limit to .exe, .dll, .js, .bat unless context suggests otherwise

AN1217

Detects binary movement or copying between untrusted and trusted paths (e.g., /tmp/ → /usr/bin/ or /etc/init.d/) that may indicate persistence attempts or cleanup of origin traces.

Log Sources
Data Component Name Channel
File Modification (DC0061) auditd:SYSCALL PATH
Mutable Elements
Field Description
RelocationPathPatterns Match movement into known persistence or exclusion directories
BinaryEntropyThreshold Apply threshold to detect high-entropy relocations (e.g., packed malware)

AN1218

Detects movement of binaries to ~/Library/, /System/, or app bundle locations, especially after initial execution or download from Safari or Mail.

Log Sources
Data Component Name Channel
Command Execution (DC0064) macos:unifiedlog log stream
File Modification (DC0061) macos:osquery file_events
Mutable Elements
Field Description
TargetBundlePathPattern Monitor relocation to .app/Contents/MacOS/ or ~/Library/Launch*
QuarantineFlagCheck Check for disappearance of com.apple.quarantine attribute post-move

AN1219

Detects firmware or script relocation attempts (e.g., CLI-based copy, move, or rename) between temporary partitions and config startup folders on routers or switches.

Log Sources
Data Component Name Channel
Command Execution (DC0064) networkdevice:syslog command audit
Mutable Elements
Field Description
StartupConfigPath Targeted config folders like flash:/startup-config or nvram:
CommandPatternMatch e.g., `copy tftp flash`, `rename`, `move flash:/old.bin flash:/new.bin`