Skip to content

T1070.006 Timestomp

Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.

Timestomping may be used along with file name Masquerading to hide malware and tools.1

Item Value
ID T1070.006
Sub-techniques T1070.001, T1070.002, T1070.003, T1070.004, T1070.005, T1070.006
Tactics TA0005
Platforms Linux, Windows, macOS
Permissions required SYSTEM, User, root
Version 1.0
Created 31 January 2020
Last Modified 29 March 2020

Procedure Examples

ID Name Description
S0066 3PARA RAT 3PARA RAT has a command to set certain attributes such as creation/modification timestamps on files.23
G0007 APT28 APT28 has performed timestomping on victim files.49
G0016 APT29 APT29 modified timestamps of backdoors to match legitimate Windows files.51
G0050 APT32 APT32 has used scheduled task raw XML with a backdated timestamp of June 2, 2016. The group has also set the creation time of the files dropped by the second stage of the exploit to match the creation time of kernel32.dll. Additionally, APT32 has used a random value to modify the timestamp of the file storing the clientID.454647
G0082 APT38 APT38 has modified data timestamps to mimic files that are in the same folder on a compromised host.43
S0438 Attor Attor has manipulated the time of last access to files and registry keys after they have been created or modified.11
S0239 Bankshot Bankshot modifies the time of a file as specified by the control server.7
S0570 BitPaymer BitPaymer can modify the timestamp of an executable so that it can be identified and restored by the decryption tool.24
S0520 BLINDINGCAN BLINDINGCAN has modified file and directory timestamps.1920
G0114 Chimera Chimera has used a Windows version of the Linux touch command to modify the date and time stamp on DLLs.52
S0020 China Chopper China Chopper‘s server component can change the timestamp of files.151617
S0154 Cobalt Strike Cobalt Strike can timestomp any files or payloads placed on a target machine to help them blend in.89
S0687 Cyclops Blink Cyclops Blink has the ability to use the Linux API function utime to change the timestamps of modified firmware update images.22
S0021 Derusbi The Derusbi malware supports timestomping.2829
S0081 Elise Elise performs timestomping of a CAB file it creates.10
S0363 Empire Empire can timestomp any files or payloads placed on a target machine to help them blend in.2
S0568 EVILNUM EVILNUM has changed the creation date of files.13
S0181 FALLCHILL FALLCHILL can modify file or directory timestamps.6
S0168 Gazer For early Gazer versions, the compilation timestamp was faked.33
S0666 Gelsemium Gelsemium has the ability to perform timestomping on targeted systems.4
S0260 InvisiMole InvisiMole samples were timestomped by the authors by setting the PE timestamps to all zero values. InvisiMole also has a built-in command to modify file times.25
S0387 KeyBoy KeyBoy time-stomped its DLL in order to evade detection.34
G0094 Kimsuky Kimsuky has manipulated timestamps for creation or compilation dates to defeat anti-forensics.44
S0641 Kobalos Kobalos can modify timestamps of replaced files, such as ssh with the added credential stealer or sshd used to deploy Kobalos.35
G0032 Lazarus Group Several Lazarus Group malware families use timestomping, including modifying the last write timestamp of a specified Registry key to a random date, as well as copying the timestamp for legitimate .exe files (such as calc.exe or mspaint.exe) to its dropped files.39404142
S0083 Misdat Many Misdat samples were programmed using Borland Delphi, which will mangle the default PE compile timestamp of a file.37
S0352 OSX_OCEANLOTUS.D OSX_OCEANLOTUS.D can use the touch -t command to change timestamps.3031
S0072 OwaAuth OwaAuth has a command to timestop a file or directory.36
S0150 POSHSPY POSHSPY modifies timestamps of all downloaded executables to match a randomly selected file created prior to 2013.14
S0393 PowerStallion PowerStallion modifies the MAC times of its local log files to match that of the victim’s desktop.ini file.27
S0078 Psylo Psylo has a command to conduct timestomping by setting a specified file’s timestamps to match those of a system file in the System32 directory.3
G0106 Rocke Rocke has changed the time stamp of certain files.48
S0185 SEASHARPEE SEASHARPEE can timestomp files on victims using a Web shell.18
S0140 Shamoon Shamoon can change the modified time for files to evade forensic detection.38
S0603 Stuxnet Stuxnet extracts and writes driver files that match the times of other legitimate files.21
S0586 TAINTEDSCRIBE TAINTEDSCRIBE can change the timestamp of specified filenames.5
S0164 TDTESS After creating a new service for persistence, TDTESS sets the file creation time for the service to the creation time of the victim’s legitimate svchost.exe file.26
G0088 TEMP.Veles TEMP.Veles used timestomping to modify the $STANDARD_INFORMATION attribute on tools.50
S0136 USBStealer USBStealer sets the timestamps of its dropper files to the last-access and last-write timestamps of a standard Windows library chosen on the system.32
S0141 Winnti for Windows Winnti for Windows can set the timestamps for its worker and service components to match that of cmd.exe.12

Detection

ID Data Source Data Component
DS0022 File File Metadata

References

  1. Carvey, H. (2013, July 23). HowTo: Determine/Detect the use of Anti-Forensics Techniques. Retrieved June 3, 2016. 

  2. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. 

  3. Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016. 

  4. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021. 

  5. USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021. 

  6. US-CERT. (2017, November 22). Alert (TA17-318A): HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL. Retrieved December 7, 2017. 

  7. Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018. 

  8. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017. 

  9. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021. 

  10. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016. 

  11. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020. 

  12. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017. 

  13. Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved December 22, 2021. 

  14. Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017. 

  15. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018. 

  16. Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015. 

  17. The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019. 

  18. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017. 

  19. US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020. 

  20. NHS Digital . (2020, August 20). BLINDINGCAN Remote Access Trojan. Retrieved August 20, 2020. 

  21. Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier. Retrieved December 7, 2020. 

  22. Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016. 

  23. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021. 

  24. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018. 

  25. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017. 

  26. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019. 

  27. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014. 

  28. Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016. 

  29. Magisa, L. (2020, November 27). New MacOS Backdoor Connected to OceanLotus Surfaces. Retrieved December 2, 2020. 

  30. Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021. 

  31. Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017. 

  32. ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017. 

  33. Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019. 

  34. M.Leveille, M., Sanmillan, I. (2021, January). A WILD KOBALOS APPEARS Tricksy Linux malware goes after HPCs. Retrieved August 24, 2021. 

  35. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018. 

  36. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021. 

  37. Mundo, A., Roccia, T., Saavedra-Morales, J., Beek, C.. (2018, December 14). Shamoon Returns to Wipe Systems in Middle East, Europe . Retrieved May 29, 2020. 

  38. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016. 

  39. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016. 

  40. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016. 

  41. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018. 

  42. DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks. Retrieved September 29, 2021. 

  43. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020. 

  44. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017. 

  45. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019. 

  46. Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019. 

  47. Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019. 

  48. Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016. 

  49. Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019. 

  50. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021. 

  51. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021. 

Back to top