Description
Once a payload is delivered, adversaries may reproduce copies of the same malware on the victim system to remove evidence of their presence and/or avoid defenses. Copying malware payloads to new locations may also be combined with File Deletion to cleanup older artifacts.
Relocating malware may be a part of many actions intended to evade defenses. For example, adversaries may copy and rename payloads to better blend into the local environment (i.e., Match Legitimate Resource Name or Location).(Citation: DFIR Report Trickbot June 2023) Payloads may also be repositioned to target File/Path Exclusions as well as specific locations associated with establishing Persistence.(Citation: Latrodectus APR 2024)
Relocating malicious payloads may also hinder defensive analysis, especially to separate these payloads from earlier events (such as User Execution and Phishing) that may have generated alerts or otherwise drawn attention from defenders. Moving payloads into target directories does not alter the Creation timestamp, thereby evading detection logic reliant on modifications to this artifact (i.e., Timestomp).
Platforms
Associated Software (1)
| ID | Name | Type | Context |
|---|---|---|---|
| S9015 | BRICKSTORM | Malware | [BRICKSTORM](https://attack.mitre.org/software/S9015) has copied itself to the `usr/sbin/` folder.(Citation: CISA BRICKSTORM UNC5221 AR25-338A Februar... |
References
- Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024.
- The DFIR Report. (2023, June 12). A Truly Graceful Wipe Out. Retrieved May 31, 2024.
Frequently Asked Questions
What is T1070.010 (Relocate Malware)?
T1070.010 is a MITRE ATT&CK technique named 'Relocate Malware'. It belongs to the Stealth tactic(s). Once a payload is delivered, adversaries may reproduce copies of the same malware on the victim system to remove evidence of their presence and/or avoid defenses. Copying malware payloads to new locat...
How can T1070.010 be detected?
Detection of T1070.010 (Relocate Malware) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1070.010?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1070.010?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.