Powershell Timestomp
Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.
Sigma rule (View on GitHub)
1title: Powershell Timestomp
2id: c6438007-e081-42ce-9483-b067fbef33c3
3status: test
4description: |
5 Adversaries may modify file time attributes to hide new or changes to existing files.
6 Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md
9 - https://www.offensive-security.com/metasploit-unleashed/timestomp/
10author: frack113
11date: 2021-08-03
12modified: 2022-12-25
13tags:
14 - attack.defense-evasion
15 - attack.t1070.006
16logsource:
17 product: windows
18 category: ps_script
19 definition: 'Requirements: Script Block Logging must be enabled'
20detection:
21 selection_ioc:
22 ScriptBlockText|contains:
23 - '.CreationTime ='
24 - '.LastWriteTime ='
25 - '.LastAccessTime ='
26 - '[IO.File]::SetCreationTime'
27 - '[IO.File]::SetLastAccessTime'
28 - '[IO.File]::SetLastWriteTime'
29 condition: selection_ioc
30falsepositives:
31 - Legitimate admin script
32level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
Timestomp can be a great tool for interacting with the filesystem and helps minimize detection by a forensic investigation.
Read More
Related rules
- File Creation Date Changed to Another Year
- File Time Attribute Change
- File Time Attribute Change - Linux
- Touch Suspicious Service File
- Unauthorized System Time Modification