File Creation Time Changed

calendar Oct 15, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Defense Evasion Data Source: Sysmon  ·
Share on: linkedin copy

Identifies modification of a file creation time. Adversaries may modify file time attributes to blend malicious content with existing files. Timestomping is a technique that modifies the timestamps of a file often to mimic files that are in trusted directories.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/01/17"
 3integration = ["windows"]
 4maturity = "production"
 5updated_date = "2024/10/15"
 6min_stack_version = "8.14.0"
 7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies modification of a file creation time. Adversaries may modify file time attributes to blend malicious content
13with existing files. Timestomping is a technique that modifies the timestamps of a file often to mimic files that are in
14trusted directories.
15"""
16from = "now-9m"
17index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "File Creation Time Changed"
21risk_score = 47
22rule_id = "166727ab-6768-4e26-b80c-948b228ffc06"
23severity = "medium"
24tags = [
25    "Domain: Endpoint",
26    "OS: Windows",
27    "Use Case: Threat Detection",
28    "Tactic: Defense Evasion",
29    "Data Source: Sysmon",
30]
31timestamp_override = "event.ingested"
32type = "eql"
33
34query = '''
35file where host.os.type == "windows" and event.code : "2" and
36
37 /* Requires Sysmon EventID 2 - File creation time change */
38 event.action : "File creation time changed*" and 
39 
40 not process.executable : 
41          ("?:\\Program Files\\*", 
42           "?:\\Program Files (x86)\\*", 
43           "?:\\Windows\\system32\\cleanmgr.exe",
44           "?:\\Windows\\system32\\msiexec.exe", 
45           "?:\\Windows\\syswow64\\msiexec.exe", 
46           "?:\\Windows\\system32\\svchost.exe", 
47           "?:\\WINDOWS\\system32\\backgroundTaskHost.exe",
48           "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe", 
49           "?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe",
50           "?:\\Users\\*\\AppData\\Local\\slack\\app-*\\slack.exe", 
51           "?:\\Users\\*\\AppData\\Local\\GitHubDesktop\\app-*\\GitHubDesktop.exe",
52           "?:\\Users\\*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe", 
53           "?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe") and 
54 not file.extension : ("temp", "tmp", "~tmp", "xml", "newcfg") and not user.name : ("SYSTEM", "Local Service", "Network Service") and
55 not file.name : ("LOG", "temp-index", "license.rtf", "iconcache_*.db")
56'''
57
58
59[[rule.threat]]
60framework = "MITRE ATT&CK"
61[[rule.threat.technique]]
62id = "T1070"
63name = "Indicator Removal"
64reference = "https://attack.mitre.org/techniques/T1070/"
65[[rule.threat.technique.subtechnique]]
66id = "T1070.006"
67name = "Timestomp"
68reference = "https://attack.mitre.org/techniques/T1070/006/"
69
70
71
72[rule.threat.tactic]
73id = "TA0005"
74name = "Defense Evasion"
75reference = "https://attack.mitre.org/tactics/TA0005/"

Related rules

to-top