Adversaries may modify file time attributes to hide new files or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder and blend malicious files with legitimate files.
Both the $STANDARD_INFORMATION
($SI
) and $FILE_NAME
($FN
) attributes record times in a Master File Table (MFT) file.[1] $SI
(dates/time stamps) is displayed to the end user, including in the File System view, while $FN
is dealt with by the kernel.[2]
Modifying the $SI
attribute is the most common method of timestomping because it can be modified at the user level using API calls. $FN
timestomping, however, typically requires interacting with the system kernel or moving or renaming a file.[1]
Adversaries modify timestamps on files so that they do not appear conspicuous to forensic investigators or file analysis tools. In order to evade detections that rely on identifying discrepancies between the $SI
and $FN
attributes, adversaries may also engage in "double timestomping" by modifying times on both attributes simultaneously.[3]
Timestomping may be used along with file name Masquerading to hide malware and tools.[4]
ID | Name | Description |
---|---|---|
S0066 | 3PARA RAT |
3PARA RAT has a command to set certain attributes such as creation/modification timestamps on files.[5] |
G0007 | APT28 | |
G0016 | APT29 |
APT29 has used timestomping to alter the Standard Information timestamps on their web shells to match other files in the same directory.[7] |
G0050 | APT32 |
APT32 has used scheduled task raw XML with a backdated timestamp of June 2, 2016. The group has also set the creation time of the files dropped by the second stage of the exploit to match the creation time of kernel32.dll. Additionally, APT32 has used a random value to modify the timestamp of the file storing the clientID.[8][9][10] |
G0082 | APT38 |
APT38 has modified data timestamps to mimic files that are in the same folder on a compromised host.[11] |
G1023 | APT5 | |
S0438 | Attor |
Attor has manipulated the time of last access to files and registry keys after they have been created or modified.[13] |
S0239 | Bankshot |
Bankshot modifies the time of a file as specified by the control server.[14] |
S0570 | BitPaymer |
BitPaymer can modify the timestamp of an executable so that it can be identified and restored by the decryption tool.[15] |
S0520 | BLINDINGCAN |
BLINDINGCAN has modified file and directory timestamps.[16][17] |
S1161 | BPFDoor |
BPFDoor uses the |
C0032 | C0032 |
During the C0032 campaign, TEMP.Veles used timestomping to modify the |
G0114 | Chimera |
Chimera has used a Windows version of the Linux |
S1149 | CHIMNEYSWEEP |
CHIMNEYSWEEP can time stomp its executable, previously dating it between 2010 to 2021.[21] |
S0020 | China Chopper |
China Chopper's server component can change the timestamp of files.[22][23][24] |
S0154 | Cobalt Strike |
Cobalt Strike can timestomp any files or payloads placed on a target machine to help them blend in.[25][26] |
C0029 | Cutting Edge |
During Cutting Edge, threat actors changed timestamps of multiple files on compromised Ivanti Secure Connect VPNs to conceal malicious activity.[27][28] |
S0687 | Cyclops Blink |
Cyclops Blink has the ability to use the Linux API function |
S0021 | Derusbi | |
S0081 | Elise | |
S0363 | Empire |
Empire can timestomp any files or payloads placed on a target machine to help them blend in.[33] |
S0568 | EVILNUM | |
S0181 | FALLCHILL | |
S0168 | Gazer |
For early Gazer versions, the compilation timestamp was faked.[36] |
S0666 | Gelsemium |
Gelsemium has the ability to perform timestomping of files on targeted systems.[37] |
S0260 | InvisiMole |
InvisiMole samples were timestomped by the authors by setting the PE timestamps to all zero values. InvisiMole also has a built-in command to modify file times.[38] |
S0387 | KeyBoy |
KeyBoy time-stomped its DLL in order to evade detection.[39] |
G0094 | Kimsuky |
Kimsuky has manipulated timestamps for creation or compilation dates to defeat anti-forensics.[40] |
S0641 | Kobalos |
Kobalos can modify timestamps of replaced files, such as |
G0032 | Lazarus Group |
Several Lazarus Group malware families use timestomping, including modifying the last write timestamp of a specified Registry key to a random date, as well as copying the timestamp for legitimate .exe files (such as calc.exe or mspaint.exe) to its dropped files.[42][43][44][45] |
S1016 | MacMa |
MacMa has the capability to create and modify file timestamps.[46] |
S1059 | metaMain |
metaMain can change the |
S0083 | Misdat |
Many Misdat samples were programmed using Borland Delphi, which will mangle the default PE compile timestamp of a file.[48] |
S1135 | MultiLayer Wiper |
MultiLayer Wiper changes timestamps of overwritten files to either 1601.1.1 for NTFS filesystems, or 1980.1.1 for all other filesystems.[49] |
S1090 | NightClub |
NightClub can modify the Creation, Access, and Write timestamps for malicious DLLs to match those of the genuine Windows DLL user32.dll.[50] |
S1100 | Ninja |
Ninja can change or create the last access or write times.[51] |
S0352 | OSX_OCEANLOTUS.D |
OSX_OCEANLOTUS.D can use the |
S0072 | OwaAuth | |
S1031 | PingPull | |
S0150 | POSHSPY |
POSHSPY modifies timestamps of all downloaded executables to match a randomly selected file created prior to 2013.[56] |
S0393 | PowerStallion |
PowerStallion modifies the MAC times of its local log files to match that of the victim's desktop.ini file.[57] |
S0078 | Psylo |
Psylo has a command to conduct timestomping by setting a specified file’s timestamps to match those of a system file in the System32 directory.[58] |
G0106 | Rocke | |
S0185 | SEASHARPEE |
SEASHARPEE can timestomp files on victims using a Web shell.[60] |
S0140 | Shamoon |
Shamoon can change the modified time for files to evade forensic detection.[61] |
C0024 | SolarWinds Compromise |
During the SolarWinds Compromise, APT29 modified timestamps of backdoors to match legitimate Windows files.[62] |
S0603 | Stuxnet |
Stuxnet extracts and writes driver files that match the times of other legitimate files.[63] |
S0586 | TAINTEDSCRIBE |
TAINTEDSCRIBE can change the timestamp of specified filenames.[64] |
S0164 | TDTESS |
After creating a new service for persistence, TDTESS sets the file creation time for the service to the creation time of the victim's legitimate svchost.exe file.[65] |
S0136 | USBStealer |
USBStealer sets the timestamps of its dropper files to the last-access and last-write timestamps of a standard Windows library chosen on the system.[66] |
S0141 | Winnti for Windows |
Winnti for Windows can set the timestamps for its worker and service components to match that of cmd.exe.[67] |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0017 | Command | Command Execution |
Monitor executed commands and arguments for actions that could be taken to alter generated artifacts on a host system (e.g., |
DS0022 | File | File Metadata |
Monitor for modifications to file metadata. Compare the |
File Modification |
Monitor for unexpected modifications to file timestamps. |
||
DS0009 | Process | OS API Execution |
Monitor for API calls that may delete or alter generated artifacts on a host system. APIs (e.g., |