Detect Timestomp in Splunk
Adversaries modify file timestamps (creation, modification, access, and metadata change times) to make malicious files blend in with legitimate system files or appear to predate the intrusion. On Windows, NTFS stores timestamps in both the $STANDARD_INFORMATION ($SI) attribute (user-visible, modifiable via Win32 API SetFileTime) and the $FILE_NAME ($FN) attribute (kernel-maintained, requires kernel interaction or file move/rename to modify). Most timestomping modifies only $SI, creating a detectable discrepancy between $SI and $FN — a key forensic indicator. Cobalt Strike's timestomp command, Meterpreter's timestomp module, and purpose-built tools target $SI timestamps. Advanced actors (APT28, APT29) perform double timestomping of both attributes. On Linux/macOS, the touch command (-a -m -t or -r flags) sets file timestamps. Actors using timestomping: APT28, APT38, APT32, APT5, UNC3886 (ESXi), Cobalt Strike, Stuxnet, Kimsuky, BlackByte 2.0.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1070 Indicator Removal
- Sub-technique
- T1070.006 Timestomp
- Canonical reference
- https://attack.mitre.org/techniques/T1070/006/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| where (Image like "%powershell.exe" AND match(CommandLine, "(?i)(SetLastWriteTime|SetCreationTime|SetLastAccessTime|\[System\.IO\.File\].*Time)"))
OR (Image like "%touch" AND match(CommandLine, "(-t |-r |-a |-m |--time=)"))
OR match(Image, "(?i)(timestomp\.exe|BTimeStomp\.exe)")
| eval TimestompMethod=case(
match(Image, "(?i)powershell"), "PowerShell SetFileTime API",
match(Image, "(?i)touch"), "Linux/macOS touch command",
match(Image, "(?i)timestomp"), "Dedicated Timestomping Tool",
true(), "Unknown"
)
| table _time, host, User, Image, CommandLine, ParentImage, TimestompMethod
| sort - _time
| append [
search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=2
| where NOT (Image like "%TrustedInstaller.exe" OR Image like "%wuauclt.exe" OR Image like "%MpSigStub.exe")
| where match(TargetFilename, "(?i)\\.(exe|dll)$")
| eval TimestompMethod="File Creation Time Changed (Sysmon EventCode 2)"
| table _time, host, User, Image, TargetFilename, PreviousCreationUtcTime, CreationUtcTime, TimestompMethod
]
| sort - _timeDetects timestomping via two methods: (1) Sysmon EventCode 1 (process creation) for PowerShell SetFileTime calls, touch with timestamp flags, and dedicated timestomping tools; (2) Sysmon EventCode 2 (file creation time changed) — Sysmon specifically records when a file's creation time is modified, which is a direct indicator of timestomping. EventCode 2 alerts are high confidence since legitimate software rarely modifies file creation timestamps. Excludes trusted Windows update processes.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Robocopy /COPYALL and similar backup tools that preserve source timestamps on destination files
- File synchronization tools (rsync, DeltaCopy) that set modification times to match source files
- Some software installers that set file timestamps to match the build/release date
- Forensic imaging tools that modify timestamps as part of write-blocking or evidence handling
Other platforms for T1070.006
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Timestomp Windows File via PowerShell SetFileTime
Expected signal: Sysmon EventCode 2 (FileCreateTime): records the file creation time change from actual creation time to 2010-01-01 00:00:00 UTC, including both PreviousCreationUtcTime and CreationUtcTime fields. PowerShell process creation with SetCreationTime in command line. MDE DeviceFileEvents with ActionType=FileModified. The $SI vs $FN discrepancy is detectable via MFT analysis tools.
- Test 2Timestomp Linux File with touch -t
Expected signal: Linux auditd EXECVE record for touch with -a -m -t 201501010000.00 arguments. Process creation event for touch command with timestamp modification flags and target file path. The file's atime and mtime will be set to 2015-01-01 00:00:00 while the inode change time (ctime) records the actual modification time — the ctime discrepancy is a forensic indicator.
- Test 3Copy File Timestamp from Legitimate System File
Expected signal: Sysmon EventCode 2 (FileCreateTime) for the test file showing the creation time changing to kernel32.dll's creation time. PowerShell process creation with CreationTime and LastWriteTime property assignments. The $FN attribute in the MFT retains the actual creation time of the test file despite $SI being modified to match kernel32.dll.
References (5)
- https://attack.mitre.org/techniques/T1070/006/
- https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping-detection-ntfs-forensics.html
- https://www.inversecos.com/2022/08/detecting-linux-anti-forensics.html
- https://www.magnetforensics.com/blog/expose-evidence-of-timestomping-with-the-ntfs-timestamp-mismatch-artifact/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md
Unlock Pro Content
Get the full detection package for T1070.006 including response playbook, investigation guide, and atomic red team tests.