File Creation Time Changed

  1[metadata]
  2creation_date = "2023/01/17"
  3integration = ["windows"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies modification of a file creation time. Adversaries may modify file time attributes to blend malicious content
 11with existing files. Timestomping is a technique that modifies the timestamps of a file often to mimic files that are in
 12trusted directories.
 13"""
 14from = "now-9m"
 15index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"]
 16language = "eql"
 17license = "Elastic License v2"
 18name = "File Creation Time Changed"
 19note = """## Triage and analysis
 20
 21> **Disclaimer**:
 22> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 23
 24### Investigating File Creation Time Changed
 25File creation timestamps are crucial for tracking file history and integrity. Adversaries may alter these timestamps, a tactic known as timestomping, to disguise malicious files as benign. This detection rule leverages Sysmon logs to identify suspicious changes in file creation times, excluding trusted processes and file types, thus highlighting potential evasion attempts by attackers.
 26
 27### Possible investigation steps
 28
 29- Review the Sysmon logs to confirm the event code 2, which indicates a file creation time change, and verify the associated process and file details.
 30- Identify the process executable path that triggered the alert and determine if it is outside the list of trusted paths specified in the query.
 31- Check the file extension and name to ensure they are not part of the excluded types such as "temp", "tmp", or "LOG".
 32- Investigate the user account associated with the event to determine if it is a non-system account, as the query excludes "SYSTEM", "Local Service", and "Network Service".
 33- Correlate the file creation time change event with other security events or logs to identify any related suspicious activities or patterns.
 34- Assess the file's location and context to determine if it is in a sensitive or unusual directory that could indicate malicious intent.
 35- If necessary, perform a deeper forensic analysis on the file and process to identify any potential malicious behavior or indicators of compromise.
 36
 37### False positive analysis
 38
 39- Trusted software updates or installations may alter file creation times. Exclude known update processes like msiexec.exe from detection to reduce noise.
 40- System maintenance tasks, such as disk cleanup, can modify timestamps. Exclude cleanmgr.exe to prevent these benign changes from triggering alerts.
 41- User-initiated actions in trusted applications like Chrome or Firefox might change file creation times. Exclude these applications to avoid unnecessary alerts.
 42- Temporary files created by legitimate processes may have altered timestamps. Exclude file extensions like temp and tmp to minimize false positives.
 43- System accounts such as SYSTEM or Local Service may perform legitimate file operations. Exclude these user names to focus on suspicious activities.
 44
 45### Response and remediation
 46
 47- Isolate the affected system from the network to prevent further malicious activity and lateral movement by the adversary.
 48- Conduct a thorough review of the file in question to determine if it is malicious. Use a combination of antivirus scans and manual analysis to assess the file's behavior and origin.
 49- If the file is confirmed to be malicious, remove it from the system and any other locations it may have been copied to. Ensure that all associated processes are terminated.
 50- Restore any affected files from a known good backup to ensure data integrity and continuity.
 51- Review and update endpoint protection settings to ensure that similar threats are detected and blocked in the future. This may include adjusting Sysmon configurations to enhance logging and detection capabilities.
 52- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems have been compromised.
 53- Document the incident, including all actions taken, to improve future response efforts and update threat intelligence databases with any new indicators of compromise (IOCs) identified."""
 54risk_score = 47
 55rule_id = "166727ab-6768-4e26-b80c-948b228ffc06"
 56severity = "medium"
 57tags = [
 58    "Domain: Endpoint",
 59    "OS: Windows",
 60    "Use Case: Threat Detection",
 61    "Tactic: Defense Evasion",
 62    "Data Source: Sysmon",
 63    "Resources: Investigation Guide",
 64]
 65timestamp_override = "event.ingested"
 66type = "eql"
 67
 68query = '''
 69file where host.os.type == "windows" and
 70  event.provider == "Microsoft-Windows-Sysmon" and
 71  /* File creation time change */
 72  event.code == "2" and
 73  not process.executable :
 74           ("?:\\Program Files\\*",
 75            "?:\\Program Files (x86)\\*",
 76            "?:\\Windows\\system32\\cleanmgr.exe",
 77            "?:\\Windows\\system32\\msiexec.exe",
 78            "?:\\Windows\\syswow64\\msiexec.exe",
 79            "?:\\Windows\\system32\\svchost.exe",
 80            "?:\\WINDOWS\\system32\\backgroundTaskHost.exe",
 81            "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
 82            "?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe",
 83            "?:\\Users\\*\\AppData\\Local\\slack\\app-*\\slack.exe",
 84            "?:\\Users\\*\\AppData\\Local\\GitHubDesktop\\app-*\\GitHubDesktop.exe",
 85            "?:\\Users\\*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe",
 86            "?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe") and
 87  not file.extension : ("temp", "tmp", "~tmp", "xml", "newcfg") and not user.name : ("SYSTEM", "Local Service", "Network Service") and
 88  not file.name : ("LOG", "temp-index", "license.rtf", "iconcache_*.db")
 89'''
 90
 91
 92[[rule.threat]]
 93framework = "MITRE ATT&CK"
 94[[rule.threat.technique]]
 95id = "T1070"
 96name = "Indicator Removal"
 97reference = "https://attack.mitre.org/techniques/T1070/"
 98[[rule.threat.technique.subtechnique]]
 99id = "T1070.006"
100name = "Timestomp"
101reference = "https://attack.mitre.org/techniques/T1070/006/"
102
103
104
105[rule.threat.tactic]
106id = "TA0005"
107name = "Defense Evasion"
108reference = "https://attack.mitre.org/tactics/TA0005/"