Detect Timestomp in Sumo Logic CSE
Adversaries modify file timestamps (creation, modification, access, and metadata change times) to make malicious files blend in with legitimate system files or appear to predate the intrusion. On Windows, NTFS stores timestamps in both the $STANDARD_INFORMATION ($SI) attribute (user-visible, modifiable via Win32 API SetFileTime) and the $FILE_NAME ($FN) attribute (kernel-maintained, requires kernel interaction or file move/rename to modify). Most timestomping modifies only $SI, creating a detectable discrepancy between $SI and $FN — a key forensic indicator. Cobalt Strike's timestomp command, Meterpreter's timestomp module, and purpose-built tools target $SI timestamps. Advanced actors (APT28, APT29) perform double timestomping of both attributes. On Linux/macOS, the touch command (-a -m -t or -r flags) sets file timestamps. Actors using timestomping: APT28, APT38, APT32, APT5, UNC3886 (ESXi), Cobalt Strike, Stuxnet, Kimsuky, BlackByte 2.0.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1070 Indicator Removal
- Sub-technique
- T1070.006 Timestomp
- Canonical reference
- https://attack.mitre.org/techniques/T1070/006/
Sumo Detection Query
_sourceCategory=windows/sysmon OR _sourceCategory=linux/syslog OR _sourceCategory=endpoint/process
| parse field=_raw "<EventID>*</EventID>" as event_id nodrop
| parse field=_raw "<Image>*</Image>" as process_image nodrop
| parse field=_raw "<CommandLine>*</CommandLine>" as command_line nodrop
| parse field=_raw "<ParentImage>*</ParentImage>" as parent_image nodrop
| parse field=_raw "<User>*</User>" as user nodrop
| parse field=_raw "<Computer>*</Computer>" as hostname nodrop
| parse field=_raw "<TargetFilename>*</TargetFilename>" as target_filename nodrop
| where event_id in ("1", "2")
| where (
(matches(process_image, "(?i).*powershell\.exe") OR matches(process_image, "(?i).*pwsh\.exe"))
AND matches(command_line, "(?i)(SetLastWriteTime|SetCreationTime|SetLastAccessTime|\[System\.IO\.File\].*Time)")
)
OR (
matches(process_image, "(?i).*touch$")
AND matches(command_line, "(-t |-r |-a |-m |--time=)")
)
OR matches(process_image, "(?i).*(timestomp\.exe|BTimeStomp\.exe)")
OR (
matches(process_image, "(?i).*cmd\.exe")
AND matches(command_line, "(?i)(timestomp|SetCreationTime|SetLastWriteTime)")
)
OR (
event_id == "2"
AND matches(target_filename, "(?i)\.(exe|dll)$")
AND !(matches(process_image, "(?i)(TrustedInstaller|wuauclt|MpSigStub|MpCopyAccelerator|svchost|tiworker)"))
)
| eval timestomp_method = if(matches(process_image, "(?i)powershell"), "PowerShell SetFileTime API",
if(matches(process_image, "(?i)touch"), "Linux/macOS touch command",
if(matches(process_image, "(?i)timestomp"), "Dedicated Timestomping Tool",
if(event_id == "2", "Sysmon File Creation Time Changed",
"Unknown"))))
| fields _time, hostname, user, process_image, command_line, parent_image, target_filename, timestomp_method
| sort by _time descDetects T1070.006 timestomping via Sysmon EventID 1 (Process Create) for PowerShell SetFileTime, touch command misuse, dedicated timestomping tools, and Sysmon EventID 2 (File Creation Time Changed) for system binary timestamp modification. Enriches alerts with detection method classification.
Data Sources
Required Tables
False Positives & Tuning
- Software package managers or update utilities that modify timestamps on executables during installation or patching
- Version control systems (e.g., git checkout with timestamp preservation) or file synchronization tools that restore original timestamps
- Scheduled administrative scripts that reset file timestamps for compliance or auditing purposes
Other platforms for T1070.006
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Timestomp Windows File via PowerShell SetFileTime
Expected signal: Sysmon EventCode 2 (FileCreateTime): records the file creation time change from actual creation time to 2010-01-01 00:00:00 UTC, including both PreviousCreationUtcTime and CreationUtcTime fields. PowerShell process creation with SetCreationTime in command line. MDE DeviceFileEvents with ActionType=FileModified. The $SI vs $FN discrepancy is detectable via MFT analysis tools.
- Test 2Timestomp Linux File with touch -t
Expected signal: Linux auditd EXECVE record for touch with -a -m -t 201501010000.00 arguments. Process creation event for touch command with timestamp modification flags and target file path. The file's atime and mtime will be set to 2015-01-01 00:00:00 while the inode change time (ctime) records the actual modification time — the ctime discrepancy is a forensic indicator.
- Test 3Copy File Timestamp from Legitimate System File
Expected signal: Sysmon EventCode 2 (FileCreateTime) for the test file showing the creation time changing to kernel32.dll's creation time. PowerShell process creation with CreationTime and LastWriteTime property assignments. The $FN attribute in the MFT retains the actual creation time of the test file despite $SI being modified to match kernel32.dll.
References (5)
- https://attack.mitre.org/techniques/T1070/006/
- https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping-detection-ntfs-forensics.html
- https://www.inversecos.com/2022/08/detecting-linux-anti-forensics.html
- https://www.magnetforensics.com/blog/expose-evidence-of-timestomping-with-the-ntfs-timestamp-mismatch-artifact/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md
Unlock Pro Content
Get the full detection package for T1070.006 including response playbook, investigation guide, and atomic red team tests.