Potential Timestomp in Executable Files

  1[metadata]
  2creation_date = "2023/01/17"
  3integration = ["windows"]
  4maturity = "production"
  5updated_date = "2026/02/12"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the modification of a file creation time for executable files in sensitive system directories. Adversaries
 11may modify file time attributes to blend malicious executables with legitimate system files. Timestomping is a technique
 12that modifies the timestamps of a file often to mimic files that are in trusted directories.
 13"""
 14from = "now-9m"
 15index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"]
 16language = "eql"
 17license = "Elastic License v2"
 18name = "Potential Timestomp in Executable Files"
 19note = """## Triage and analysis
 20
 21> **Disclaimer**:
 22> This guide was created by humans with the assistance of generative AI. While its contents have been manually curated to include the most valuable information, always validate assumptions and adjust procedures to match your internal runbooks and incident triage and response policies.
 23
 24### Investigating Potential Timestomp in Executable Files
 25
 26This alert indicates that a process modified the creation timestamp of a file with an executable extension in a sensitive Windows directory or a common persistence location. Timestomping can be used to make recently created or modified files appear older and blend in with legitimate system content.
 27
 28#### Possible investigation steps
 29- Establish scope and validate context:
 30  - Identify the affected endpoint using `host.name` and `host.id`, and determine whether similar alerts or related file-timestamp changes are occurring on the same host.
 31  - Review `user.name`, `user.domain`, and `user.id` to understand whether the account typically performs administrative or software management activities on this endpoint.
 32  - Use `@timestamp` to bound a focused time window for pivots (for example, shortly before and after the change).
 33
 34- Assess the timestamp change behavior:
 35  - Compare `winlog.event_data.PreviousCreationUtcTime` to `winlog.event_data.CreationUtcTime` and note whether the timestamp was backdated, forward-dated, or aligned to an apparent baseline.
 36  - Identify whether multiple files were modified in the same window by searching for additional events on the same `host.id` and `process.entity_id`.
 37
 38- Evaluate the target file:
 39  - Review `file.path`, `file.directory`, `file.name`, and `file.extension` to determine whether the target is expected in that location and whether the name resembles a legitimate component for the directory.
 40  - If the file is in a Startup location, treat it as a potential persistence artifact and prioritize determining whether it later executed on the host.
 41  - If the file is in a system directory, assess whether the host role and recent maintenance activity could reasonably explain changes to that specific file.
 42
 43- Investigate the process responsible for the change:
 44  - Review `process.executable` and `process.name` for signs of an unusual execution location, unexpected binary name, or a process that does not normally manage files in the target directory.
 45  - Pivot using `process.entity_id` (or `process.pid` within a narrow time range) to reconstruct process ancestry and command context using your available process telemetry.
 46  - Look for additional activity by the same process in the same time window, such as other file modifications involving the same `file.path` or other executable files in similar directories.
 47
 48- Check for follow-on execution and related activity:
 49  - Search for subsequent activity on the same `host.id` where `process.executable` matches the alerted `file.path`, which can indicate the modified file was executed after timestomping.
 50  - If the target is a shortcut (`file.extension` such as `lnk`), look for later execution on the host that aligns with user logon activity for `user.id` and the alert timeline.
 51  - Identify whether the same `file.name` and `file.path` appear on other endpoints, which may indicate propagation, a shared deployment mechanism, or a broader intrusion set.
 52
 53### False positive analysis
 54- Enterprise software deployment, patching, and self-update mechanisms can rewrite binaries and adjust file metadata as part of normal operations.
 55- Backup, restore, profile reset, and file synchronization workflows can preserve or reapply timestamps when placing executables into directories.
 56- Administrative troubleshooting or recovery activities (for example, repairing installations or restoring components) may result in unexpected timestamp changes for legitimate files.
 57
 58### Response and remediation
 59- If the activity is unexpected or suspicious:
 60  - Contain the host to limit further tampering and reduce the risk of execution or persistence.
 61  - Preserve evidence for the alert by capturing the values of `file.path`, `process.executable`, `process.entity_id`, `user.id`, and the before/after timestamps, and collect related events on the same `host.id` in the surrounding window.
 62  - Determine whether the affected file executed after the change by correlating activity on the same `host.id` and comparing `process.executable` to the alerted `file.path`.
 63  - Acquire and analyze the target file and the modifying process binary using your standard tooling to assess reputation, integrity, and suspected origin.
 64  - Remove or quarantine malicious files and remediate unauthorized persistence, especially for items placed in Startup locations.
 65  - Scope across the environment for the same `file.path`, `file.name`, and `process.executable`, and apply containment actions to additional affected hosts as needed.
 66  - If compromise is suspected, review access associated with `user.id` and follow incident response procedures for account containment and recovery.
 67
 68- If the activity is confirmed benign:
 69  - Document the legitimate software or workflow responsible for the timestamp change, including the expected `process.executable` and target paths, to support consistent triage and future tuning.
 70"""
 71risk_score = 47
 72rule_id = "166727ab-6768-4e26-b80c-948b228ffc06"
 73setup = """## Setup
 74
 75Sysmon must be installed and configured to generate the events used by this rule (Event ID 2).
 76Setup instructions: https://ela.st/sysmon-event-2-setup
 77"""
 78severity = "medium"
 79tags = [
 80    "Domain: Endpoint",
 81    "OS: Windows",
 82    "Use Case: Threat Detection",
 83    "Tactic: Defense Evasion",
 84    "Data Source: Sysmon",
 85    "Resources: Investigation Guide",
 86]
 87timestamp_override = "event.ingested"
 88type = "eql"
 89
 90query = '''
 91file where host.os.type == "windows" and
 92  event.provider == "Microsoft-Windows-Sysmon" and event.code == "2" and
 93  file.extension : (
 94    "exe", "dll", "sys", "msi", "scr", "pif", "lnk"
 95  ) and
 96  file.path : (
 97    "?:\\Windows\\System32\\*",
 98    "?:\\Windows\\SysWOW64\\*",
 99    "?:\\ProgramData\\*",
100    "?:\\Users\\Public\\*",
101    "?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*",
102    "?:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*"
103  ) and
104  not process.executable : (
105    "?:\\Program Files\\*",
106    "?:\\Program Files (x86)\\*",
107    "?:\\Windows\\system32\\cleanmgr.exe",
108    "?:\\Windows\\system32\\msiexec.exe",
109    "?:\\Windows\\syswow64\\msiexec.exe",
110    "?:\\Windows\\system32\\svchost.exe",
111    "?:\\Windows\\System32\\Robocopy.exe",
112    "?:\\Windows\\SysWOW64\\Robocopy.exe"
113  ) and
114  not (process.executable : "?:\\Windows\\System32\\spoolsv.exe" and file.path : "?:\\Windows\\System32\\spool\\*") and
115  not user.name : ("SYSTEM", "Local Service", "Network Service")
116'''
117
118
119[[rule.threat]]
120framework = "MITRE ATT&CK"
121[[rule.threat.technique]]
122id = "T1070"
123name = "Indicator Removal"
124reference = "https://attack.mitre.org/techniques/T1070/"
125[[rule.threat.technique.subtechnique]]
126id = "T1070.006"
127name = "Timestomp"
128reference = "https://attack.mitre.org/techniques/T1070/006/"
129
130
131
132[rule.threat.tactic]
133id = "TA0005"
134name = "Defense Evasion"
135reference = "https://attack.mitre.org/tactics/TA0005/"
136
137[rule.investigation_fields]
138field_names = [
139    "@timestamp",
140    "user.name",
141    "user.domain",
142    "file.path",
143    "file.name",
144    "host.name",
145    "host.id",
146    "process.executable",
147    "winlog.event_data.CreationUtcTime",
148    "winlog.event_data.PreviousCreationUtcTime"
149]