EXPLORE
Sign In
← Back to Explore
T1070.006

Timestomp

Adversaries may modify file time attributes to hide new files or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder and blend malicious files with legitimate files. In Windows systems, both the `$STANDARD_INFORMATION` (`$SI`) and `$FILE_NAME` (`$FN`) attributes record times in a Master File Table (MFT) file.(Citation: Inversecos Timestomping 2022) `$SI` (da...

ESXiLinuxmacOSWindows
9
Detections
3
Sources
11
Threat Actors

BY SOURCE

5sigma3elastic1splunk_escu

PROCEDURES (3)

General Monitoring4 detections

Auto-extracted: 4 detections for general monitoring

Process Creation Monitoring4 detections

Auto-extracted: 4 detections for process creation monitoring

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

THREAT ACTORS (11)

APT28APT29APT32APT38APT5ChimeraKimsukyLazarus GroupMustang PandaRockeUNC3886

DETECTIONS (9)

ESXi System Clock Manipulation
splunk_escu
ESXI Timestomping using Touch Command
elasticmedium
File Time Attribute Change
sigmamedium
File Time Attribute Change - Linux
sigmamedium
Potential Timestomp in Executable Files
elasticmedium
Powershell Timestomp
sigmamedium
Timestomping using Touch Command
elasticmedium
Touch Suspicious Service File
sigmamedium
Unauthorized System Time Modification
sigmalow