Timestomp
Adversaries may modify file time attributes to hide new files or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder and blend malicious files with legitimate files. Both the `$STANDARD_INFORMATION` (`$SI`) and `$FILE_NAME` (`$FN`) attributes record times in a Master File Table (MFT) file. `$SI` (dates/time stamps) is displayed to the end user, including in the File System view, while `$FN` is dealt with by the kernel. Modifying the `$SI` attribute is the most common method of timestomping because it can be modified at the user level using API calls. `$FN` timestomping, however, typically requires interacting with the system kernel or moving or renaming a file. Adversaries modify timestamps on files so that they do not appear conspicuous to forensic investigators or file analysis tools. In order to evade detections that rely on identifying discrepancies between the `$SI` and `$FN` attributes, adversaries may also engage in “double timestomping” by modifying times on both attributes simultaneously. Timestomping may be used along with file name Masquerading to hide malware and tools.
Open detection, hunting, mitigation, and evidence workspace
Detection logic
Forensic techniques exist to detect aspects of files that have had their timestamps modified. It may be possible to detect timestomping using file modification monitoring that collects information on file handle opens and can compare timestamp values.
Observed actors
Correlated CTI and IR reports
1200km CTI repository · explicit report mentionAttack Playbook — Operation DragonRx
1200km CTI repository · explicit report mentionAPT41 Targeting Pharmaceutical Sector Log4Shell to Domain Compromise
1200km Medium · authored report mentionAttack Playbook Operation DragonRx
1200km Medium · authored report mention