File Creation Date Changed to Another Year

 1title: File Creation Date Changed to Another Year
 2id: 558eebe5-f2ba-4104-b339-36f7902bcc1a
 3status: test
 4description: |
 5    Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system.
 6    Note that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.    
 7references:
 8    - https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html
 9author: frack113, Florian Roth (Nextron Systems)
10date: 2022/08/12
11modified: 2022/10/25
12tags:
13    - attack.t1070.006
14    - attack.defense_evasion
15logsource:
16    category: file_change
17    product: windows
18detection:
19    selection1:
20        PreviousCreationUtcTime|startswith: '2022'
21    filter1:
22        CreationUtcTime|startswith: '2022'
23    selection2:
24        PreviousCreationUtcTime|startswith: '202'
25    filter2:
26        CreationUtcTime|startswith: '202'
27    gen_filter_updates:
28        - Image:
29              - 'C:\Windows\system32\ProvTool.exe'
30              - 'C:\Windows\System32\usocoreworker.exe'
31              - 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
32        - TargetFilename|startswith: 'C:\ProgramData\USOPrivate\UpdateStore\'
33        - TargetFilename|endswith:
34              - '.tmp'
35              - '.temp'
36    gen_filter_tiworker:
37        Image|startswith: 'C:\WINDOWS\'
38        Image|endswith: '\TiWorker.exe'
39        TargetFilename|endswith: '.cab'
40    condition: (( selection1 and not filter1 ) or ( selection2 and not filter2 )) and not 1 of gen_filter*
41falsepositives:
42    - Changes made to or by the local NTP service
43level: high