Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system. Note that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.

Detects usage of the "touch" process in service file.

Detect file time attribute change to hide new or changes to existing files

Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.

Detect file time attribute change to hide new or changes to existing files.

Detect scenarios where a potentially unauthorized application or user is modifying the system time.