T1070.006 Timestomp Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    // Windows: PowerShell or .NET-based timestomping
    (FileName in~ ("powershell.exe", "pwsh.exe")
     and ProcessCommandLine matches regex @"(?i)(SetLastWriteTime|SetCreationTime|SetLastAccessTime|\[System\.IO\.File\].*Time)")
    or
    // Linux/macOS: touch command with timestamp modification flags
    (FileName in~ ("touch")
     and ProcessCommandLine matches regex @"touch.*(-t |-r |-a |-m |--time=)")
    or
    // Known timestomping utilities
    (FileName in~ ("timestomp.exe", "BTimeStomp.exe"))
    or
    // Meterpreter/Cobalt Strike often use cmd.exe for timestomping
    (FileName =~ "cmd.exe"
     and ProcessCommandLine has_any ("timestomp", "SetCreationTime", "SetLastWriteTime"))
)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
| union (
    DeviceFileEvents
    | where Timestamp > ago(24h)
    | where ActionType == "FileModified"
    | where FolderPath has_any ("\\System32\\", "\\SysWOW64\\", "\\Windows\\")
    | where InitiatingProcessFileName !in~ ("TrustedInstaller.exe", "wuauclt.exe", "MpSigStub.exe",
                                             "MpCopyAccelerator.exe", "svchost.exe", "tiworker.exe")
    | where FileName endswith ".exe" or FileName endswith ".dll"
    | project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName,
             FileName, FolderPath, ActionType, InitiatingProcessFileName
)
| sort by Timestamp desc

high severity medium confidence

Data Sources

File: File Modification Process: Process Creation Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceFileEvents

False Positives

Legitimate backup and restore tools that preserve original file timestamps when restoring files (e.g., Robocopy /COPYALL, xcopy /K)
Software deployment tools that set file timestamps during installation to match source timestamps
touch commands in build scripts to force recompilation by updating source file timestamps
Digital forensics tools that modify timestamps as part of evidence processing (rare but possible)

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| where (Image like "%powershell.exe" AND match(CommandLine, "(?i)(SetLastWriteTime|SetCreationTime|SetLastAccessTime|\[System\.IO\.File\].*Time)"))
   OR (Image like "%touch" AND match(CommandLine, "(-t |-r |-a |-m |--time=)"))
   OR match(Image, "(?i)(timestomp\.exe|BTimeStomp\.exe)")
| eval TimestompMethod=case(
    match(Image, "(?i)powershell"), "PowerShell SetFileTime API",
    match(Image, "(?i)touch"), "Linux/macOS touch command",
    match(Image, "(?i)timestomp"), "Dedicated Timestomping Tool",
    true(), "Unknown"
  )
| table _time, host, User, Image, CommandLine, ParentImage, TimestompMethod
| sort - _time
| append [
    search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=2
    | where NOT (Image like "%TrustedInstaller.exe" OR Image like "%wuauclt.exe" OR Image like "%MpSigStub.exe")
    | where match(TargetFilename, "(?i)\\.(exe|dll)$")
    | eval TimestompMethod="File Creation Time Changed (Sysmon EventCode 2)"
    | table _time, host, User, Image, TargetFilename, PreviousCreationUtcTime, CreationUtcTime, TimestompMethod
]
| sort - _time

high severity high confidence

Data Sources

File: File Modification Process: Process Creation Sysmon Event ID 1 Sysmon Event ID 2

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Robocopy /COPYALL and similar backup tools that preserve source timestamps on destination files
File synchronization tools (rsync, DeltaCopy) that set modification times to match source files
Some software installers that set file timestamps to match the build/release date
Forensic imaging tools that modify timestamps as part of write-blocking or evidence handling

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
  [process where event.type == "start" and (
    (process.name in~ ("powershell.exe", "pwsh.exe") and
     process.command_line regex~ "(?i)(SetLastWriteTime|SetCreationTime|SetLastAccessTime|\[System\.IO\.File\].*Time)")
    or
    (process.name == "touch" and
     process.command_line regex~ "touch.+(-t |-r |-a |-m |--time=)")
    or
    process.name in~ ("timestomp.exe", "BTimeStomp.exe")
    or
    (process.name == "cmd.exe" and
     process.command_line regex~ "(?i)(timestomp|SetCreationTime|SetLastWriteTime)")
  )]

any where event.category == "file" and event.action == "modified" and
  file.extension in ("exe", "dll") and
  file.path regex~ "(?i)(\\System32\\|\\SysWOW64\\|\\Windows\\)" and
  not process.name in~ ("TrustedInstaller.exe", "wuauclt.exe", "MpSigStub.exe", "MpCopyAccelerator.exe", "svchost.exe", "tiworker.exe")

high severity high confidence

Data Sources

Elastic Endpoint Security Auditbeat Winlogbeat with Sysmon

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-* winlogbeat-*

False Positives

Legitimate software deployment tools or patch management systems that update file timestamps during installation
Backup and restore software that intentionally preserves or modifies timestamps to match original file metadata
Development tools (e.g., build systems, touch used in Makefiles) that use touch to trigger rebuild chains

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  sourceip,
  QIDNAME(qid) AS event_name,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Process Name" AS parent_process,
  CATEGORYNAME(category) AS category_name
FROM events
WHERE LOGSOURCETYPEID(logsourceid) IN (12, 13, 229)
  AND devicetime > (CURRENT_TIMESTAMP - 86400000)
  AND (
    ("Process Name" ILIKE '%powershell.exe' OR "Process Name" ILIKE '%pwsh.exe')
    AND ("Command" ILIKE '%SetLastWriteTime%'
         OR "Command" ILIKE '%SetCreationTime%'
         OR "Command" ILIKE '%SetLastAccessTime%'
         OR ("Command" ILIKE '%[System.IO.File]%' AND "Command" ILIKE '%Time%'))
  )
  OR (
    "Process Name" ILIKE '%touch'
    AND ("Command" ILIKE '% -t %'
         OR "Command" ILIKE '% -r %'
         OR "Command" ILIKE '%--time=%')
  )
  OR "Process Name" ILIKE '%timestomp.exe'
  OR "Process Name" ILIKE '%BTimeStomp.exe'
  OR (
    "Process Name" ILIKE '%cmd.exe'
    AND ("Command" ILIKE '%timestomp%'
         OR "Command" ILIKE '%SetCreationTime%'
         OR "Command" ILIKE '%SetLastWriteTime%')
  )
ORDER BY devicetime DESC
LIMIT 500

high severity medium confidence

Data Sources

IBM QRadar SIEM Windows Security Event Log via QRadar DSM Sysmon via QRadar DSM

Required Tables

events

False Positives

Automated software deployment or CI/CD pipelines using PowerShell to set file timestamps during artifact packaging
Forensic investigation tools (e.g., FTK, Autopsy) that may invoke touch or SetFileTime when restoring evidence images
Cross-platform build tools that use touch on Unix-like systems to force recompilation of artifacts

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon OR _sourceCategory=linux/syslog OR _sourceCategory=endpoint/process
| parse field=_raw "<EventID>*</EventID>" as event_id nodrop
| parse field=_raw "<Image>*</Image>" as process_image nodrop
| parse field=_raw "<CommandLine>*</CommandLine>" as command_line nodrop
| parse field=_raw "<ParentImage>*</ParentImage>" as parent_image nodrop
| parse field=_raw "<User>*</User>" as user nodrop
| parse field=_raw "<Computer>*</Computer>" as hostname nodrop
| parse field=_raw "<TargetFilename>*</TargetFilename>" as target_filename nodrop
| where event_id in ("1", "2")
| where (
    (matches(process_image, "(?i).*powershell\.exe") OR matches(process_image, "(?i).*pwsh\.exe"))
    AND matches(command_line, "(?i)(SetLastWriteTime|SetCreationTime|SetLastAccessTime|\[System\.IO\.File\].*Time)")
  )
  OR (
    matches(process_image, "(?i).*touch$")
    AND matches(command_line, "(-t |-r |-a |-m |--time=)")
  )
  OR matches(process_image, "(?i).*(timestomp\.exe|BTimeStomp\.exe)")
  OR (
    matches(process_image, "(?i).*cmd\.exe")
    AND matches(command_line, "(?i)(timestomp|SetCreationTime|SetLastWriteTime)")
  )
  OR (
    event_id == "2"
    AND matches(target_filename, "(?i)\.(exe|dll)$")
    AND !(matches(process_image, "(?i)(TrustedInstaller|wuauclt|MpSigStub|MpCopyAccelerator|svchost|tiworker)"))
  )
| eval timestomp_method = if(matches(process_image, "(?i)powershell"), "PowerShell SetFileTime API",
    if(matches(process_image, "(?i)touch"), "Linux/macOS touch command",
    if(matches(process_image, "(?i)timestomp"), "Dedicated Timestomping Tool",
    if(event_id == "2", "Sysmon File Creation Time Changed",
    "Unknown"))))
| fields _time, hostname, user, process_image, command_line, parent_image, target_filename, timestomp_method
| sort by _time desc

high severity high confidence

Data Sources

Sumo Logic Cloud SIEM Windows Sysmon via Sumo Logic Collector Linux syslog via Sumo Logic Collector

Required Tables

windows/sysmon linux/syslog endpoint/process

False Positives

Software package managers or update utilities that modify timestamps on executables during installation or patching
Version control systems (e.g., git checkout with timestamp preservation) or file synchronization tools that restore original timestamps
Scheduled administrative scripts that reset file timestamps for compliance or auditing purposes

Google Chronicle / SecOps

yaral

rule timestomp_t1070_006 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects file timestomping via PowerShell SetFileTime API, Linux touch command, known timestomping tools, or Sysmon EventCode 2 file creation time changes (MITRE ATT&CK T1070.006)"
    mitre_attack = "T1070.006"
    severity = "HIGH"
    priority = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1070/006/"

  events:
    (
      $e.metadata.event_type = "PROCESS_LAUNCH"
      and (
        (
          re.regex($e.principal.process.file.full_path, `(?i)(powershell\.exe|pwsh\.exe)$`)
          and re.regex($e.target.process.command_line, `(?i)(SetLastWriteTime|SetCreationTime|SetLastAccessTime|\[System\.IO\.File\].*Time)`)
        )
        or
        (
          re.regex($e.target.process.file.full_path, `(?i)touch$`)
          and re.regex($e.target.process.command_line, `(-t |-r |-a |-m |--time=)`)
        )
        or re.regex($e.target.process.file.full_path, `(?i)(timestomp\.exe|BTimeStomp\.exe)$`)
        or
        (
          re.regex($e.target.process.file.full_path, `(?i)cmd\.exe$`)
          and re.regex($e.target.process.command_line, `(?i)(timestomp|SetCreationTime|SetLastWriteTime)`)
        )
      )
    )
    or
    (
      $e.metadata.event_type = "FILE_MODIFICATION"
      and re.regex($e.target.file.full_path, `(?i)\.(exe|dll)$`)
      and re.regex($e.target.file.full_path, `(?i)(\\System32\\|\\SysWOW64\\|\\Windows\\)`)
      and not re.regex($e.principal.process.file.full_path, `(?i)(TrustedInstaller\.exe|wuauclt\.exe|MpSigStub\.exe|MpCopyAccelerator\.exe|svchost\.exe|tiworker\.exe)$`)
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle SIEM Windows Endpoint via Chronicle Forwarder CrowdStrike Falcon via Chronicle integration Sysmon via Chronicle

Required Tables

UDM Events (process, file)

False Positives

Enterprise application deployment frameworks that programmatically set file timestamps during staged rollouts across environments
Digital forensics and incident response (DFIR) toolkits that preserve or modify file timestamps when cloning disk images to investigation systems
Automated testing pipelines that use touch or SetFileTime to simulate file age conditions in regression tests

CrowdStrike LogScale (CQL)

cql

// CrowdStrike LogScale - T1070.006 Timestomp Detection
// Detect PowerShell, touch, timestomp.exe, and cmd.exe based timestamp manipulation

#event_simpleName = ProcessRollup2
| regex(field=ImageFileName, regex="(?i)(powershell\.exe|pwsh\.exe|timestomp\.exe|BTimeStomp\.exe|cmd\.exe|touch)$", strict=false)
| where 
    (
      match(field=ImageFileName, regex="(?i)(powershell\.exe|pwsh\.exe)", strict=false)
      and match(field=CommandLine, regex="(?i)(SetLastWriteTime|SetCreationTime|SetLastAccessTime|\[System\.IO\.File\].*Time)", strict=false)
    )
    or
    (
      match(field=ImageFileName, regex="(?i)touch$", strict=false)
      and match(field=CommandLine, regex="(-t |-r |-a |-m |--time=)", strict=false)
    )
    or match(field=ImageFileName, regex="(?i)(timestomp\.exe|BTimeStomp\.exe)$", strict=false)
    or
    (
      match(field=ImageFileName, regex="(?i)cmd\.exe$", strict=false)
      and match(field=CommandLine, regex="(?i)(timestomp|SetCreationTime|SetLastWriteTime)", strict=false)
    )
| eval TimestompMethod = case(
    match(ImageFileName, "(?i)powershell"), "PowerShell SetFileTime API",
    match(ImageFileName, "(?i)touch"), "Linux/macOS touch command",
    match(ImageFileName, "(?i)(timestomp|BTimeStomp)"), "Dedicated Timestomping Tool",
    match(ImageFileName, "(?i)cmd\.exe"), "cmd.exe Timestomp",
    true(), "Unknown"
  )
| table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, TargetProcessId, TimestompMethod])
| sort(@timestamp, order=desc)

// UNION: Detect file creation time changes on Windows system binaries (Sysmon-equivalent via Falcon)
| union [
  #event_simpleName = FileCreateUpdateInfo
  | where match(field=TargetFileName, regex="(?i)\.(exe|dll)$", strict=false)
  | where match(field=TargetFileName, regex="(?i)(\\System32\\|\\SysWOW64\\|\\Windows\\)", strict=false)
  | where not match(field=ImageFileName, regex="(?i)(TrustedInstaller\.exe|wuauclt\.exe|MpSigStub\.exe|svchost\.exe|tiworker\.exe)", strict=false)
  | eval TimestompMethod = "File Creation Time Changed on System Binary"
  | table([@timestamp, ComputerName, UserName, ImageFileName, TargetFileName, TimestompMethod])
  | sort(@timestamp, order=desc)
]

high severity high confidence

Data Sources

CrowdStrike Falcon EDR CrowdStrike Falcon LogScale (Humio) Falcon Sensor process telemetry

Required Tables

ProcessRollup2 FileCreateUpdateInfo

False Positives

Legitimate red team or pen testing engagements using Cobalt Strike or Metasploit timestomp modules in authorized environments
System administration scripts that use PowerShell to normalize file timestamps across servers during compliance audits
Software packaging tools (e.g., WiX Toolset, Inno Setup) that invoke SetCreationTime or SetLastWriteTime during MSI or installer creation

Timestomp

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections