T1070.006 Elastic Security · Elastic

Detect Timestomp in Elastic Security

Adversaries modify file timestamps (creation, modification, access, and metadata change times) to make malicious files blend in with legitimate system files or appear to predate the intrusion. On Windows, NTFS stores timestamps in both the $STANDARD_INFORMATION ($SI) attribute (user-visible, modifiable via Win32 API SetFileTime) and the $FILE_NAME ($FN) attribute (kernel-maintained, requires kernel interaction or file move/rename to modify). Most timestomping modifies only $SI, creating a detectable discrepancy between $SI and $FN — a key forensic indicator. Cobalt Strike's timestomp command, Meterpreter's timestomp module, and purpose-built tools target $SI timestamps. Advanced actors (APT28, APT29) perform double timestomping of both attributes. On Linux/macOS, the touch command (-a -m -t or -r flags) sets file timestamps. Actors using timestomping: APT28, APT38, APT32, APT5, UNC3886 (ESXi), Cobalt Strike, Stuxnet, Kimsuky, BlackByte 2.0.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1070 Indicator Removal
Sub-technique
T1070.006 Timestomp
Canonical reference
https://attack.mitre.org/techniques/T1070/006/

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.name with maxspan=5m
  [process where event.type == "start" and (
    (process.name in~ ("powershell.exe", "pwsh.exe") and
     process.command_line regex~ "(?i)(SetLastWriteTime|SetCreationTime|SetLastAccessTime|\[System\.IO\.File\].*Time)")
    or
    (process.name == "touch" and
     process.command_line regex~ "touch.+(-t |-r |-a |-m |--time=)")
    or
    process.name in~ ("timestomp.exe", "BTimeStomp.exe")
    or
    (process.name == "cmd.exe" and
     process.command_line regex~ "(?i)(timestomp|SetCreationTime|SetLastWriteTime)")
  )]

any where event.category == "file" and event.action == "modified" and
  file.extension in ("exe", "dll") and
  file.path regex~ "(?i)(\\System32\\|\\SysWOW64\\|\\Windows\\)" and
  not process.name in~ ("TrustedInstaller.exe", "wuauclt.exe", "MpSigStub.exe", "MpCopyAccelerator.exe", "svchost.exe", "tiworker.exe")
high severity high confidence

Detects file timestomping via PowerShell SetFileTime API calls, Linux touch command with timestamp modification flags, dedicated timestomping utilities (timestomp.exe, BTimeStomp.exe), and suspicious file modification timestamps on Windows system binaries. Covers MITRE ATT&CK T1070.006.

Data Sources

Elastic Endpoint SecurityAuditbeatWinlogbeat with Sysmon

Required Tables

logs-endpoint.events.process-*logs-endpoint.events.file-*winlogbeat-*

False Positives & Tuning

  • Legitimate software deployment tools or patch management systems that update file timestamps during installation
  • Backup and restore software that intentionally preserves or modifies timestamps to match original file metadata
  • Development tools (e.g., build systems, touch used in Makefiles) that use touch to trigger rebuild chains
Download portable Sigma rule (.yml)

Other platforms for T1070.006

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Timestomp Windows File via PowerShell SetFileTime

    Expected signal: Sysmon EventCode 2 (FileCreateTime): records the file creation time change from actual creation time to 2010-01-01 00:00:00 UTC, including both PreviousCreationUtcTime and CreationUtcTime fields. PowerShell process creation with SetCreationTime in command line. MDE DeviceFileEvents with ActionType=FileModified. The $SI vs $FN discrepancy is detectable via MFT analysis tools.

  2. Test 2Timestomp Linux File with touch -t

    Expected signal: Linux auditd EXECVE record for touch with -a -m -t 201501010000.00 arguments. Process creation event for touch command with timestamp modification flags and target file path. The file's atime and mtime will be set to 2015-01-01 00:00:00 while the inode change time (ctime) records the actual modification time — the ctime discrepancy is a forensic indicator.

  3. Test 3Copy File Timestamp from Legitimate System File

    Expected signal: Sysmon EventCode 2 (FileCreateTime) for the test file showing the creation time changing to kernel32.dll's creation time. PowerShell process creation with CreationTime and LastWriteTime property assignments. The $FN attribute in the MFT retains the actual creation time of the test file despite $SI being modified to match kernel32.dll.

Last updated: 2026-04-13 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1070.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1070Indicator Removal

Related Sub-techniques

T1070.001Clear Windows Event LogsT1070.002Clear Linux or Mac System LogsT1070.003Clear Command HistoryT1070.004File DeletionT1070.005Network Share Connection RemovalT1070.007Clear Network Connection History and ConfigurationsT1070.008Clear Mailbox DataT1070.009Clear PersistenceT1070.010Relocate Malware

Related Techniques

T1070.004File DeletionT1036.005Match Legitimate Resource Name or LocationT1574.001DLLT1059.001PowerShellT1105Ingress Tool TransferT1036Masquerading

Same Tactic: Defense Evasion

Popular Detections