← Library
sigmaDRL-1.1from SigmaHQ/sigma

Powershell Timestomp

Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.

Quality
100
FP risk
Forks
0
Views
0
ATT&CK techniques
T1070.006
Rule sourcerules/windows/powershell/powershell_script/posh_ps_timestomp.yml
title: Powershell Timestomp
id: c6438007-e081-42ce-9483-b067fbef33c3
status: test
description: |
    Adversaries may modify file time attributes to hide new or changes to existing files.
    Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md
    - https://www.offensive-security.com/metasploit-unleashed/timestomp/
author: frack113
date: 2021-08-03
modified: 2022-12-25
tags:
    - attack.defense-evasion
    - attack.t1070.006
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_ioc:
        ScriptBlockText|contains:
            - '.CreationTime ='
            - '.LastWriteTime ='
            - '.LastAccessTime ='
            - '[IO.File]::SetCreationTime'
            - '[IO.File]::SetLastAccessTime'
            - '[IO.File]::SetLastWriteTime'
    condition: selection_ioc
falsepositives:
    - Legitimate admin script
level: medium