MITRE ATT&CK Technique
Defense Evasion T1070.010
Description

Once a payload is delivered, adversaries may reproduce copies of the same malware on the victim system to remove evidence of their presence and/or avoid defenses. Copying malware payloads to new locations may also be combined with [File Deletion](https://attack.mitre.org/techniques/T1070/004) to cleanup older artifacts. Relocating malware may be a part of many actions intended to evade defenses. For example, adversaries may copy and rename payloads to better blend into the local environment (i.e., [Match Legitimate Resource Name or Location](https://attack.mitre.org/techniques/T1036/005)).(Citation: DFIR Report Trickbot June 2023) Payloads may also be repositioned to target [File/Path Exclusions](https://attack.mitre.org/techniques/T1564/012) as well as specific locations associated with establishing [Persistence](https://attack.mitre.org/tactics/TA0003).(Citation: Latrodectus APR 2024) Relocating malicious payloads may also hinder defensive analysis, especially to separate these payloads from earlier events (such as [User Execution](https://attack.mitre.org/techniques/T1204) and [Phishing](https://attack.mitre.org/techniques/T1566)) that may have generated alerts or otherwise drawn attention from defenders. Moving payloads into target directories does not alter the Creation timestamp, thereby evading detection logic reliant on modifications to this artifact (i.e., [Timestomp](https://attack.mitre.org/techniques/T1070/006)).

Supported Platforms
Linux macOS Windows Network Devices
Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data 
{'created': '2024-05-31T11:07:57.406Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Once a payload is delivered, adversaries may reproduce copies '
                'of the same malware on the victim system to remove evidence '
                'of their presence and/or avoid defenses. Copying malware '
                'payloads to new locations may also be combined with [File '
                'Deletion](https://attack.mitre.org/techniques/T1070/004) to '
                'cleanup older artifacts.\n'
                '\n'
                'Relocating malware may be a part of many actions intended to '
                'evade defenses. For example, adversaries may copy and rename '
                'payloads to better blend into the local environment (i.e., '
                '[Match Legitimate Resource Name or '
                'Location](https://attack.mitre.org/techniques/T1036/005)).(Citation: '
                'DFIR Report Trickbot June 2023) Payloads may also be '
                'repositioned to target [File/Path '
                'Exclusions](https://attack.mitre.org/techniques/T1564/012) as '
                'well as specific locations associated with establishing '
                '[Persistence](https://attack.mitre.org/tactics/TA0003).(Citation: '
                'Latrodectus APR 2024)\n'
                '\n'
                'Relocating malicious payloads may also hinder defensive '
                'analysis, especially to separate these payloads from earlier '
                'events (such as [User '
                'Execution](https://attack.mitre.org/techniques/T1204) and '
                '[Phishing](https://attack.mitre.org/techniques/T1566)) that '
                'may have generated alerts or otherwise drawn attention from '
                'defenders. Moving payloads into target directories does not '
                'alter the Creation timestamp, thereby evading detection logic '
                'reliant on modifications to this artifact (i.e., '
                '[Timestomp](https://attack.mitre.org/techniques/T1070/006)).',
 'external_references': [{'external_id': 'T1070.010',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1070/010'},
                         {'description': 'Proofpoint Threat Research and Team '
                                         'Cymru S2 Threat Research. (2024, '
                                         'April 4). Latrodectus: This Spider '
                                         'Bytes Like Ice . Retrieved May 31, '
                                         '2024.',
                          'source_name': 'Latrodectus APR 2024',
                          'url': 'https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice'},
                         {'description': 'The DFIR Report. (2023, June 12). A '
                                         'Truly Graceful Wipe Out. Retrieved '
                                         'May 31, 2024.',
                          'source_name': 'DFIR Report Trickbot June 2023',
                          'url': 'https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/'}],
 'id': 'attack-pattern--cc36eeae-2209-4e63-89d3-c97e19edf280',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'defense-evasion'}],
 'modified': '2025-10-05T16:08:40.119Z',
 'name': 'Relocate Malware',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.3.0',
 'x_mitre_contributors': ['Matt Anderson, @\u200cnosecurething, Huntress',
                          'Gregory Frey'],
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': True,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['Linux', 'macOS', 'Windows', 'Network Devices'],
 'x_mitre_version': '1.2'}
Quick Actions
Edit TTP Update from Web
Back to TTPs
Dashboard About