detection.wiki

ATT&CK coverage › Technique

Indicator Removal: Timestomp T1070.006

Adversaries may modify file time attributes to hide new files or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder and blend malicious files with legitimate files.

Events covered

4 catalog events are tagged with this technique by at least one rule.

ProviderEvent IDTitle
Sysmon2A process changed a file creation time
Security-Auditing4616The system time was changed.
Security-Auditing4688A new process has been created.
PowerShell4104Creating Scriptblock text (MessageNumber of MessageTotal).

Authoring guide

Patterns shared across the 4 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (6 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
file.extension1eq 1lnk, dll, msi
file.path1wildcard 1?:\Windows\SysWOW64\*, ?:\Users\*\AppData\Roaming\Microsoft\Windows\Start..., ?:\Users\Public\*
Provider_Name1eq 1Microsoft-Windows-Sysmon
ScriptBlockText1match 1[IO.File]::SetLastWriteTime, .CreationTime =, [IO.File]::SetLastAccessTime
SubjectUserSid1eq 1S-1-5-19
process_name1eq 1C:\Windows\System32\svchost.exe, C:\Windows\System32\VBoxService.exe, C:\Windows\System32\oobe\msoobe.exe

Top indicator values (26 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

FieldKindValueRules (here)Corpus reach
file.pathwildcard?:\Windows\System32\*1
file.extensioneqexe1
Provider_NameeqMicrosoft-Windows-Sysmon13
file.extensioneqlnk1
file.extensioneqmsi1
file.pathwildcard?:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*1
file.extensioneqsys1
file.pathwildcard?:\ProgramData\*1
file.pathwildcard?:\Users\Public\*1
file.pathwildcard?:\Windows\SysWOW64\*1
file.extensioneqscr1
file.extensioneqdll1
file.pathwildcard?:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\*1
file.extensioneqpif1
ScriptBlockTextmatch.CreationTime =1
ScriptBlockTextmatch[IO.File]::SetLastAccessTime1
ScriptBlockTextmatch[IO.File]::SetLastWriteTime1
ScriptBlockTextmatch.LastWriteTime =1
ScriptBlockTextmatch[IO.File]::SetCreationTime1
ScriptBlockTextmatch.LastAccessTime =1

Common exclusions (13 distinct)

Field/operator/value combinations that rules under this technique routinely exclude (top-level not() clauses). These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths.

FieldKindValueRules excluding
usereqNetwork Service1
Imagewildcard?:\Windows\system32\cleanmgr.exe1
Imagewildcard?:\Windows\System32\Robocopy.exe1
Imagewildcard?:\Program Files\*1
file.pathstarts_with?:\Windows\System32\spool\1
Imagewildcard?:\Windows\syswow64\msiexec.exe1
usereqSYSTEM1
Imagewildcard?:\Windows\SysWOW64\Robocopy.exe1
usereqLocal Service1
Imagewildcard?:\Windows\system32\svchost.exe1
Imageeq?:\Windows\System32\spoolsv.exe1
Imagewildcard?:\Windows\system32\msiexec.exe1
Imagewildcard?:\Program Files (x86)\*1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 2 rules

Elastic 1 rule

Kusto Query Language 1 rule