Loading AttackTrace...
Loading AttackTrace...
Timestomp (T1070.006) is a MITRE ATT&CK technique associated with Stealth . Adversaries may modify file time attributes to hide new files or changes to existing files.
Timestomp (T1070.006) is a MITRE ATT&CK technique associated with Stealth. Adversaries may modify file time attributes to hide new files or changes to existing files.
Attackers use Timestomp because it provides a reliable way to advance their objective within the Stealth tactic, often with a favorable balance of impact versus detectability on ESXi, Linux, macOS, Windows environments. Defenders should assess this behavior in the context of the affected platform and adjacent activity rather than treating it as a standalone indicator.
Adversaries may modify file time attributes to hide new files or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder and blend malicious files with legitimate files.
In Windows systems, both the $STANDARD_INFORMATION ($SI) and $FILE_NAME ($FN) attributes record times in a Master File Table (MFT) file.(Citation: Inversecos Timestomping 2022) $SI (dates/time stamps) is displayed to the end user, including in the File System view, while $FN is dealt with by the kernel.(Citation: Magnet Forensics)
Modifying the $SI attribute is the most common method of timestomping because it can be modified at the user level using API calls. $FN timestomping, however, typically requires interacting with the system kernel or moving or renaming a file.(Citation: Inversecos Timestomping 2022)
Adversaries modify timestamps on files so that they do not appear conspicuous to forensic investigators or file analysis tools. In order to evade detections that rely on identifying discrepancies between the $SI and $FN attributes, adversaries may also engage in “double timestomping†by modifying times on both attributes simultaneously.(Citation: Double Timestomping)
In Linux systems and on ESXi servers, threat actors may attempt to perform timestomping using commands such as touch -a -m -t <timestamp> <filename> (which sets access and modification times to a specific value) or touch -r <filename> <filename> (which sets access and modification times to match those of another file).(Citation: Inversecos Linux Timestomping)(Citation: Juniper Networks ESXi Backdoor 2022)
Timestomping may be used along with file name Masquerading to hide malware and tools.(Citation: WindowsIR Anti-Forensic Techniques)
No universal command represents Timestomp. Capture the exact command line, arguments, parent process, account, host, and execution time from the investigated environment; do not operationalize unverified examples.
| Event ID | Log Channel | What It Indicates |
|---|---|---|
| Environment-specific | Relevant Windows channel(s) | Correlate authentication, process, object-access, and configuration events with the observed execution context. |
| Sysmon Event ID | Name | Why It's Relevant Here |
|---|---|---|
| Environment-specific | Validate configured telemetry | Use process, network, file, registry, DNS, or image-load telemetry only when relevant and enabled. |
No MITRE detection guidance published for this technique.
Relevant ATT&CK Data Sources: N/A
A universal Sigma rule would create unreliable results because this technique has no single guaranteed observable. Build detection logic from a documented behavior and supported data source, scope it to the affected platform, and validate it against benign administrative activity before deployment.
Start with the data sources named in the detection section. Scope searches by asset, identity, and time window; correlate the primary behavior with preceding access and subsequent actions. A portable query is intentionally not provided where the technique lacks a universal schema or observable.
No MITRE mitigations mapped to this technique.