title: Timestomp (T1070.006)
id: df00tech-t1070-006
status: experimental
description: "Adversaries modify file timestamps (creation, modification, access, and metadata change times) to make malicious files blend in with legitimate system files or appear to predate the intrusion. On Windows, NTFS stores timestamps in both the $STANDARD_INFORMATION ($SI) attribute (user-visible, modifiable via Win32 API SetFileTime) and the $FILE_NAME ($FN) attribute (kernel-maintained, requires kernel interaction or file move/rename to modify). Most timestomping modifies only $SI, creating a detectable discrepancy between $SI and $FN — a key forensic indicator. Cobalt Strike's timestomp command, Meterpreter's timestomp module, and purpose-built tools target $SI timestamps. Advanced actors (APT28, APT29) perform double timestomping of both attributes. On Linux/macOS, the touch command (-a -m -t or -r flags) sets file timestamps. Actors using timestomping: APT28, APT38, APT32, APT5, UNC3886 (ESXi), Cobalt Strike, Stuxnet, Kimsuky, BlackByte 2.0."
references:
  - https://attack.mitre.org/techniques/T1070/006/
  - https://df00tech.com/detections/T1070.006
author: df00tech
date: 2026/04/13
tags:
  - attack.t1070.006
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate backup and restore tools that preserve original file timestamps when restoring files (e.g., Robocopy /COPYALL, xcopy /K)"
  - Software deployment tools that set file timestamps during installation to match source timestamps
  - touch commands in build scripts to force recompilation by updating source file timestamps
  - Digital forensics tools that modify timestamps as part of evidence processing (rare but possible)
level: high