Detection rules › Elastic
Potential Timestomp in Executable Files
Identifies the modification of a file creation time for executable files in sensitive system directories. Adversaries may modify file time attributes to blend malicious executables with legitimate system files. Timestomping is a technique that modifies the timestamps of a file often to mimic files that are in trusted directories.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1070 Indicator Removal, T1070.006 Indicator Removal: Timestomp |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 2 | A process changed a file creation time |
Stages and Predicates
Stage 1: eql:file
not (file.path:"?:\\Windows\\System32\\spool\\*" and process.executable:"?:\\Windows\\System32\\spoolsv.exe") and not process.executable:"?:\\Program Files\\*" and not user.name:"SYSTEM" and event.provider:"Microsoft-Windows-Sysmon" and file.extension:"exe" and file.path:"?:\\Windows\\System32\\*"Exclusions
Top-level NOT(...) conjuncts — predicates this rule actively suppresses.
| Stage | Field | Kind | Excluded values |
|---|---|---|---|
| 1 | Image | eq | ?:\Windows\System32\spoolsv.exe |
| 2 | file.path | starts_with | ?:\Windows\System32\spool\ |
| 3 | Image | wildcard | ?:\Program Files\*, ?:\Program Files (x86)\*, ?:\Windows\system32\cleanmgr.exe, ?:\Windows\system32\msiexec.exe, ?:\Windows\syswow64\msiexec.exe, ?:\Windows\system32\svchost.exe, ?:\Windows\System32\Robocopy.exe, ?:\Windows\SysWOW64\Robocopy.exe |
| 4 | user | eq | SYSTEM, Local Service, Network Service |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
event.provider | eq |
|
file.extension | wildcard |
|
file.path | wildcard |
|