File Creation Time Changed

Identifies modification of a file creation time. Adversaries may modify file time attributes to blend malicious content with existing files. Timestomping is a technique that modifies the timestamps of a file often to mimic files that are in trusted directories.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/01/17"
 3integration = ["windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/12/18"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies modification of a file creation time. Adversaries may modify file time attributes to blend
13malicious content with existing files. Timestomping is a technique that modifies the timestamps of 
14a file often to mimic files that are in trusted directories.
15"""
16from = "now-9m"
17index = ["winlogbeat-*", "logs-windows.*"]
18language = "eql"
19license = "Elastic License v2"
20name = "File Creation Time Changed"
21risk_score = 47
22rule_id = "166727ab-6768-4e26-b80c-948b228ffc06"
23severity = "medium"
24tags = [
25    "Domain: Endpoint",
26    "OS: Windows",
27    "Use Case: Threat Detection",
28    "Tactic: Defense Evasion"
29]
30timestamp_override = "event.ingested"
31type = "eql"
32
33query = '''
34file where host.os.type == "windows" and event.code : "2" and
35
36 /* Requires Sysmon EventID 2 - File creation time change */
37 event.action : "File creation time changed*" and 
38 
39 not process.executable : 
40          ("?:\\Program Files\\*", 
41           "?:\\Program Files (x86)\\*", 
42           "?:\\Windows\\system32\\cleanmgr.exe",
43           "?:\\Windows\\system32\\msiexec.exe", 
44           "?:\\Windows\\syswow64\\msiexec.exe", 
45           "?:\\Windows\\system32\\svchost.exe", 
46           "?:\\WINDOWS\\system32\\backgroundTaskHost.exe",
47           "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe", 
48           "?:\\Users\\*\\AppData\\Local\\Mozilla Firefox\\firefox.exe",
49           "?:\\Users\\*\\AppData\\Local\\slack\\app-*\\slack.exe", 
50           "?:\\Users\\*\\AppData\\Local\\GitHubDesktop\\app-*\\GitHubDesktop.exe",
51           "?:\\Users\\*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe", 
52           "?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe") and 
53 not file.extension : ("temp", "tmp", "~tmp", "xml", "newcfg") and not user.name : ("SYSTEM", "Local Service", "Network Service") and
54 not file.name : ("LOG", "temp-index", "license.rtf", "iconcache_*.db")
55'''
56
57
58[[rule.threat]]
59framework = "MITRE ATT&CK"
60[[rule.threat.technique]]
61id = "T1070"
62name = "Indicator Removal"
63reference = "https://attack.mitre.org/techniques/T1070/"
64[[rule.threat.technique.subtechnique]]
65id = "T1070.006"
66name = "Timestomp"
67reference = "https://attack.mitre.org/techniques/T1070/006/"
68
69
70[rule.threat.tactic]
71id = "TA0005"
72name = "Defense Evasion"
73reference = "https://attack.mitre.org/tactics/TA0005/"

Related rules

to-top