Detect Timestomp in Google Chronicle
Adversaries modify file timestamps (creation, modification, access, and metadata change times) to make malicious files blend in with legitimate system files or appear to predate the intrusion. On Windows, NTFS stores timestamps in both the $STANDARD_INFORMATION ($SI) attribute (user-visible, modifiable via Win32 API SetFileTime) and the $FILE_NAME ($FN) attribute (kernel-maintained, requires kernel interaction or file move/rename to modify). Most timestomping modifies only $SI, creating a detectable discrepancy between $SI and $FN — a key forensic indicator. Cobalt Strike's timestomp command, Meterpreter's timestomp module, and purpose-built tools target $SI timestamps. Advanced actors (APT28, APT29) perform double timestomping of both attributes. On Linux/macOS, the touch command (-a -m -t or -r flags) sets file timestamps. Actors using timestomping: APT28, APT38, APT32, APT5, UNC3886 (ESXi), Cobalt Strike, Stuxnet, Kimsuky, BlackByte 2.0.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1070 Indicator Removal
- Sub-technique
- T1070.006 Timestomp
- Canonical reference
- https://attack.mitre.org/techniques/T1070/006/
YARA-L Detection Query
rule timestomp_t1070_006 {
meta:
author = "Argus Detection Engineering"
description = "Detects file timestomping via PowerShell SetFileTime API, Linux touch command, known timestomping tools, or Sysmon EventCode 2 file creation time changes (MITRE ATT&CK T1070.006)"
mitre_attack = "T1070.006"
severity = "HIGH"
priority = "HIGH"
reference = "https://attack.mitre.org/techniques/T1070/006/"
events:
(
$e.metadata.event_type = "PROCESS_LAUNCH"
and (
(
re.regex($e.principal.process.file.full_path, `(?i)(powershell\.exe|pwsh\.exe)$`)
and re.regex($e.target.process.command_line, `(?i)(SetLastWriteTime|SetCreationTime|SetLastAccessTime|\[System\.IO\.File\].*Time)`)
)
or
(
re.regex($e.target.process.file.full_path, `(?i)touch$`)
and re.regex($e.target.process.command_line, `(-t |-r |-a |-m |--time=)`)
)
or re.regex($e.target.process.file.full_path, `(?i)(timestomp\.exe|BTimeStomp\.exe)$`)
or
(
re.regex($e.target.process.file.full_path, `(?i)cmd\.exe$`)
and re.regex($e.target.process.command_line, `(?i)(timestomp|SetCreationTime|SetLastWriteTime)`)
)
)
)
or
(
$e.metadata.event_type = "FILE_MODIFICATION"
and re.regex($e.target.file.full_path, `(?i)\.(exe|dll)$`)
and re.regex($e.target.file.full_path, `(?i)(\\System32\\|\\SysWOW64\\|\\Windows\\)`)
and not re.regex($e.principal.process.file.full_path, `(?i)(TrustedInstaller\.exe|wuauclt\.exe|MpSigStub\.exe|MpCopyAccelerator\.exe|svchost\.exe|tiworker\.exe)$`)
)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting T1070.006 timestomping. Triggers on process launch events matching PowerShell SetFileTime API patterns, touch command misuse on Linux/macOS, dedicated timestomping executables, cmd.exe orchestrating timestomp, and file modification events on Windows system binaries by untrusted processes.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise application deployment frameworks that programmatically set file timestamps during staged rollouts across environments
- Digital forensics and incident response (DFIR) toolkits that preserve or modify file timestamps when cloning disk images to investigation systems
- Automated testing pipelines that use touch or SetFileTime to simulate file age conditions in regression tests
Other platforms for T1070.006
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Timestomp Windows File via PowerShell SetFileTime
Expected signal: Sysmon EventCode 2 (FileCreateTime): records the file creation time change from actual creation time to 2010-01-01 00:00:00 UTC, including both PreviousCreationUtcTime and CreationUtcTime fields. PowerShell process creation with SetCreationTime in command line. MDE DeviceFileEvents with ActionType=FileModified. The $SI vs $FN discrepancy is detectable via MFT analysis tools.
- Test 2Timestomp Linux File with touch -t
Expected signal: Linux auditd EXECVE record for touch with -a -m -t 201501010000.00 arguments. Process creation event for touch command with timestamp modification flags and target file path. The file's atime and mtime will be set to 2015-01-01 00:00:00 while the inode change time (ctime) records the actual modification time — the ctime discrepancy is a forensic indicator.
- Test 3Copy File Timestamp from Legitimate System File
Expected signal: Sysmon EventCode 2 (FileCreateTime) for the test file showing the creation time changing to kernel32.dll's creation time. PowerShell process creation with CreationTime and LastWriteTime property assignments. The $FN attribute in the MFT retains the actual creation time of the test file despite $SI being modified to match kernel32.dll.
References (5)
- https://attack.mitre.org/techniques/T1070/006/
- https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping-detection-ntfs-forensics.html
- https://www.inversecos.com/2022/08/detecting-linux-anti-forensics.html
- https://www.magnetforensics.com/blog/expose-evidence-of-timestomping-with-the-ntfs-timestamp-mismatch-artifact/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md
Unlock Pro Content
Get the full detection package for T1070.006 including response playbook, investigation guide, and atomic red team tests.