Once a payload is delivered, adversaries may reproduce copies of the same malware on the victim system to remove evidence of their presence and/or avoid defenses. Copying malware payloads to new locations may also be combined with File Deletion to cleanup older artifacts.
Relocating malware may be a part of many actions intended to evade defenses. For example, adversaries may copy and rename payloads to better blend into the local environment (i.e., Match Legitimate Name or Location).(Citation: DFIR Report Trickbot June 2023) Payloads may also be repositioned to target File/Path Exclusions as well as specific locations associated with establishing Persistence.(Citation: Latrodectus APR 2024)
Relocating malicious payloads may also hinder defensive analysis, especially to separate these payloads from earlier events (such as User Execution and Phishing) that may have generated alerts or otherwise drawn attention from defenders.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| SI-03 | Malicious Code Protection | mitigates | T1070.010 | Relocate Malware | |
| SI-07 | Software, Firmware, and Information Integrity | mitigates | T1070.010 | Relocate Malware | |
| SI-04 | System Monitoring | mitigates | T1070.010 | Relocate Malware |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Evade Defenses | Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. | related-to | T1070.010 | Relocate Malware |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| google_secops | Google Security Operations | technique_scores | T1070.010 | Relocate Malware |
Comments
Google Security Operations is able to trigger an alert when indicators are cleared from the infrastructure. This technique was scored as minimal based on low or uncertain detection coverage factor.
References
|