1. Home
  2. Detection Strategies
  3. Cross-Platform Behavioral Detection of File Timestomping via Metadata Tampering

Cross-Platform Behavioral Detection of File Timestomping via Metadata Tampering

Technique Detected:  Timestomp | T1070.006

ID: DET0591
Domains: Enterprise
Analytics: AN1626, AN1627, AN1628, AN1629
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN1626

Detects attempts to modify file timestamps via API usage (e.g., SetFileTime), CLI tools (e.g., w32tm, PowerShell), or double-timestomp behavior where $SI and $FN timestamps are mismatched or reverted.

Log Sources
Data Component Name Channel
File Metadata (DC0059) WinEventLog:Sysmon EventCode=15
File Access (DC0055) WinEventLog:Security EventCode=4663
OS API Execution (DC0021) EDR:file SetFileTime
Mutable Elements
Field Description
TimeWindow Correlate timestamp change with preceding file creation or suspicious access
APINamePattern Include SetFileTime, NtSetInformationFile, or other timestamp APIs
TimestampDeltaThreshold Trigger on excessive backdating (e.g., >90 days)

AN1627

Detects use of timestamp-altering commands like touch -a -m -t or touch -r, particularly when executed by unusual users or in suspicious directories.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
File Metadata (DC0059) linux:osquery file_events
Mutable Elements
Field Description
MonitoredCommandList Commands like `touch -r`, `debugfs`, `stat` used in sequence
FilePathRegex Suspicious paths like `/tmp/`, `/var/lib/`, `/mnt/esxi/`
DeltaThreshold Mismatch between timestamp and file activity time

AN1628

Detects timestamp changes using touch, SetFile, or direct metadata tampering (e.g., xattr manipulation) from Terminal, scripts, or low-level APIs.

Log Sources
Data Component Name Channel
Command Execution (DC0064) macos:unifiedlog log stream --predicate
File Metadata (DC0059) macos:osquery file_events
Mutable Elements
Field Description
CommandMatch Touch/setfile and backdated timestamps
UserContext Detects execution under non-interactive/system accounts

AN1629

Detects abuse of busybox commands (e.g., touch) or log timestamp tampering during backdoor persistence or evasion.

Log Sources
Data Component Name Channel
File Modification (DC0061) esxi:vmkernel /var/log/vmkernel.log
Mutable Elements
Field Description
TimestampAgeComparison Unusual backdating to match legit files
PersistenceOverlap Overlap with known persistence paths