Detect Timestomp in Microsoft Sentinel
Adversaries modify file timestamps (creation, modification, access, and metadata change times) to make malicious files blend in with legitimate system files or appear to predate the intrusion. On Windows, NTFS stores timestamps in both the $STANDARD_INFORMATION ($SI) attribute (user-visible, modifiable via Win32 API SetFileTime) and the $FILE_NAME ($FN) attribute (kernel-maintained, requires kernel interaction or file move/rename to modify). Most timestomping modifies only $SI, creating a detectable discrepancy between $SI and $FN — a key forensic indicator. Cobalt Strike's timestomp command, Meterpreter's timestomp module, and purpose-built tools target $SI timestamps. Advanced actors (APT28, APT29) perform double timestomping of both attributes. On Linux/macOS, the touch command (-a -m -t or -r flags) sets file timestamps. Actors using timestomping: APT28, APT38, APT32, APT5, UNC3886 (ESXi), Cobalt Strike, Stuxnet, Kimsuky, BlackByte 2.0.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1070 Indicator Removal
- Sub-technique
- T1070.006 Timestomp
- Canonical reference
- https://attack.mitre.org/techniques/T1070/006/
KQL Detection Query
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
// Windows: PowerShell or .NET-based timestomping
(FileName in~ ("powershell.exe", "pwsh.exe")
and ProcessCommandLine matches regex @"(?i)(SetLastWriteTime|SetCreationTime|SetLastAccessTime|\[System\.IO\.File\].*Time)")
or
// Linux/macOS: touch command with timestamp modification flags
(FileName in~ ("touch")
and ProcessCommandLine matches regex @"touch.*(-t |-r |-a |-m |--time=)")
or
// Known timestomping utilities
(FileName in~ ("timestomp.exe", "BTimeStomp.exe"))
or
// Meterpreter/Cobalt Strike often use cmd.exe for timestomping
(FileName =~ "cmd.exe"
and ProcessCommandLine has_any ("timestomp", "SetCreationTime", "SetLastWriteTime"))
)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
| union (
DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "FileModified"
| where FolderPath has_any ("\\System32\\", "\\SysWOW64\\", "\\Windows\\")
| where InitiatingProcessFileName !in~ ("TrustedInstaller.exe", "wuauclt.exe", "MpSigStub.exe",
"MpCopyAccelerator.exe", "svchost.exe", "tiworker.exe")
| where FileName endswith ".exe" or FileName endswith ".dll"
| project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName,
FileName, FolderPath, ActionType, InitiatingProcessFileName
)
| sort by Timestamp descDetects timestomping via two layers: (1) Process-based detection — PowerShell SetFileTime API calls, touch command with timestamp modification flags (-t, -r, -a, -m), known timestomping tools (timestomp.exe, BTimeStomp.exe), and Cobalt Strike's timestomp command signatures; (2) File-based detection — non-standard processes modifying .exe or .dll files in System32/SysWOW64 without being a trusted Windows updater. Excludes legitimate Windows update processes. Note: the $SI vs $FN discrepancy that is the primary forensic indicator of timestomping is detected via DFIR tools rather than real-time SIEM queries.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate backup and restore tools that preserve original file timestamps when restoring files (e.g., Robocopy /COPYALL, xcopy /K)
- Software deployment tools that set file timestamps during installation to match source timestamps
- touch commands in build scripts to force recompilation by updating source file timestamps
- Digital forensics tools that modify timestamps as part of evidence processing (rare but possible)
Other platforms for T1070.006
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Timestomp Windows File via PowerShell SetFileTime
Expected signal: Sysmon EventCode 2 (FileCreateTime): records the file creation time change from actual creation time to 2010-01-01 00:00:00 UTC, including both PreviousCreationUtcTime and CreationUtcTime fields. PowerShell process creation with SetCreationTime in command line. MDE DeviceFileEvents with ActionType=FileModified. The $SI vs $FN discrepancy is detectable via MFT analysis tools.
- Test 2Timestomp Linux File with touch -t
Expected signal: Linux auditd EXECVE record for touch with -a -m -t 201501010000.00 arguments. Process creation event for touch command with timestamp modification flags and target file path. The file's atime and mtime will be set to 2015-01-01 00:00:00 while the inode change time (ctime) records the actual modification time — the ctime discrepancy is a forensic indicator.
- Test 3Copy File Timestamp from Legitimate System File
Expected signal: Sysmon EventCode 2 (FileCreateTime) for the test file showing the creation time changing to kernel32.dll's creation time. PowerShell process creation with CreationTime and LastWriteTime property assignments. The $FN attribute in the MFT retains the actual creation time of the test file despite $SI being modified to match kernel32.dll.
References (5)
- https://attack.mitre.org/techniques/T1070/006/
- https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping-detection-ntfs-forensics.html
- https://www.inversecos.com/2022/08/detecting-linux-anti-forensics.html
- https://www.magnetforensics.com/blog/expose-evidence-of-timestomping-with-the-ntfs-timestamp-mismatch-artifact/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md
Unlock Pro Content
Get the full detection package for T1070.006 including response playbook, investigation guide, and atomic red team tests.