Timestomp

From enterprise
Jump to: navigation, search
Timestomp
Technique
ID T1099
Tactic Defense Evasion
Platform Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Linux, Windows 10
Permissions Required User, Administrator, SYSTEM
Data Sources File monitoring, Process monitoring, Process command-line parameters
Defense Bypassed Host forensic analysis

Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools. Timestomping may be used along with file name Masquerading to hide malware and tools.1

Examples

  • APT28 has performed timestomping on victim files.2
  • APT32 has used scheduled task raw XML with a backdated timestamp of June 2, 2016.3
  • Several Lazarus Group malware families use timestomping, including modifying the last write timestamp of a specified Registry key to a random date, as well as copying the timestamp for legitimate .exe files (such as calc.exe or mspaint.exe) to its dropped files.45
  • 3PARA RAT has a command to set certain attributes such as creation/modification timestamps on files.6
  • Cobalt Strike will timestomp any files or payloads placed on a target machine to help them blend in.7
  • The Derusbi malware supports timestomping.89
  • Elise performs timestomping of a CAB file it creates.10
  • Many Misdat samples were programmed using Borland Delphi, which will mangle the default PE compile timestamp of a file.11
  • OwaAuth has a command to timestop a file or directory.12
  • POSHSPY modifies timestamps of all downloaded executables to match a randomly selected file created prior to 2013.13
  • Psylo has a command to conduct timestomping by setting a specified file’s timestamps to match those of a system file in the System32 directory.14
  • USBStealer sets the timestamps of its dropper files to the last-access and last-write timestamps of a standard Windows library chosen on the system.15

Mitigation

Mitigation of timestomping specifically is likely difficult. Efforts should be focused on preventing potentially malicious software from running. Identify and block potentially malicious software that may contain functionality to perform timestomping by using whitelisting16 tools like AppLocker1718 or Software Restriction Policies19 where appropriate.20

Detection

Forensic techniques exist to detect aspects of files that have had their timestamps modified.1 It may be possible to detect timestomping using file modification monitoring that collects information on file handle opens and can compare timestamp values.

References