Description
Adversaries may modify file time attributes to hide new files or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder and blend malicious files with legitimate files.
In Windows systems, both the $STANDARD_INFORMATION ($SI) and $FILE_NAME ($FN) attributes record times in a Master File Table (MFT) file.(Citation: Inversecos Timestomping 2022) $SI (dates/time stamps) is displayed to the end user, including in the File System view, while $FN is dealt with by the kernel.(Citation: Magnet Forensics)
Modifying the $SI attribute is the most common method of timestomping because it can be modified at the user level using API calls. $FN timestomping, however, typically requires interacting with the system kernel or moving or renaming a file.(Citation: Inversecos Timestomping 2022)
Adversaries modify timestamps on files so that they do not appear conspicuous to forensic investigators or file analysis tools. In order to evade detections that rely on identifying discrepancies between the $SI and $FN attributes, adversaries may also engage in “double timestomping” by modifying times on both attributes simultaneously.(Citation: Double Timestomping)
In Linux systems and on ESXi servers, threat actors may attempt to perform timestomping using commands such as touch -a -m -t (which sets access and modification times to a specific value) or touch -r (which sets access and modification times to match those of another file).(Citation: Inversecos Linux Timestomping)(Citation: Juniper Networks ESXi Backdoor 2022)
Timestomping may be used along with file name Masquerading to hide malware and tools.(Citation: WindowsIR Anti-Forensic Techniques)
Platforms
Threat Groups (11)
| ID | Group | Context |
|---|---|---|
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) has performed timestomping on victim files.(Citation: Crowdstrike DNC June 2016) |
| G1023 | APT5 | [APT5](https://attack.mitre.org/groups/G1023) has modified file timestamps.(Citation: Mandiant Pulse Secure Update May 2021) |
| G1048 | UNC3886 | [UNC3886](https://attack.mitre.org/groups/G1048) has used scripts to timestomp ESXi hosts prior to installing malicious vSphere Installation Bundles (... |
| G0082 | APT38 | [APT38](https://attack.mitre.org/groups/G0082) has modified data timestamps to mimic files that are in the same folder on a compromised host.(Citation... |
| G0050 | APT32 | [APT32](https://attack.mitre.org/groups/G0050) has used scheduled task raw XML with a backdated timestamp of June 2, 2016. The group has also set the ... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has manipulated timestamps for creation or compilation dates to defeat anti-forensics.(Citation: Cybe... |
| G0016 | APT29 | [APT29](https://attack.mitre.org/groups/G0016) has used timestomping to alter the Standard Information timestamps on their web shells to match other f... |
| G0114 | Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has used a Windows version of the Linux <code>touch</code> command to modify the date and time stamp ... |
| G0032 | Lazarus Group | Several [Lazarus Group](https://attack.mitre.org/groups/G0032) malware families use timestomping, including modifying the last write timestamp of a sp... |
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has modified file timestamps from the export address table (EAT) in malware to make it difficul... |
| G0106 | Rocke | [Rocke](https://attack.mitre.org/groups/G0106) has changed the time stamp of certain files.(Citation: Anomali Rocke March 2019) |
Associated Software (44)
| ID | Name | Type | Context |
|---|---|---|---|
| S0586 | TAINTEDSCRIBE | Malware | [TAINTEDSCRIBE](https://attack.mitre.org/software/S0586) can change the timestamp of specified filenames.(Citation: CISA MAR-10288834-2.v1 TAINTEDSCR... |
| S0687 | Cyclops Blink | Malware | [Cyclops Blink](https://attack.mitre.org/software/S0687) has the ability to use the Linux API function `utime` to change the timestamps of modified fi... |
| S0168 | Gazer | Malware | For early [Gazer](https://attack.mitre.org/software/S0168) versions, the compilation timestamp was faked.(Citation: ESET Gazer Aug 2017) |
| S0603 | Stuxnet | Malware | [Stuxnet](https://attack.mitre.org/software/S0603) extracts and writes driver files that match the times of other legitimate files.(Citation: Nicolas ... |
| S0239 | Bankshot | Malware | [Bankshot](https://attack.mitre.org/software/S0239) modifies the time of a file as specified by the control server.(Citation: McAfee Bankshot) |
| S0181 | FALLCHILL | Malware | [FALLCHILL](https://attack.mitre.org/software/S0181) can modify file or directory timestamps.(Citation: US-CERT FALLCHILL Nov 2017) |
| S1181 | BlackByte 2.0 Ransomware | Malware | [BlackByte 2.0 Ransomware](https://attack.mitre.org/software/S1181) can timestomp files for defense evasion and anti-forensics purposes.(Citation: Mic... |
| S0072 | OwaAuth | Malware | [OwaAuth](https://attack.mitre.org/software/S0072) has a command to timestop a file or directory.(Citation: Dell TG-3390) |
| S1090 | NightClub | Malware | [NightClub](https://attack.mitre.org/software/S1090) can modify the Creation, Access, and Write timestamps for malicious DLLs to match those of the ge... |
| S0136 | USBStealer | Malware | [USBStealer](https://attack.mitre.org/software/S0136) sets the timestamps of its dropper files to the last-access and last-write timestamps of a stand... |
| S0570 | BitPaymer | Malware | [BitPaymer](https://attack.mitre.org/software/S0570) can modify the timestamp of an executable so that it can be identified and restored by the decryp... |
| S0021 | Derusbi | Malware | The [Derusbi](https://attack.mitre.org/software/S0021) malware supports timestomping.(Citation: Novetta-Axiom)(Citation: Fidelis Turbo) |
| S0154 | Cobalt Strike | Malware | [Cobalt Strike](https://attack.mitre.org/software/S0154) can timestomp any files or payloads placed on a target machine to help them blend in.(Citatio... |
| S0352 | OSX_OCEANLOTUS.D | Malware | [OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) can use the <code>touch -t</code> command to change timestamps.(Citation: Trend Micro MacO... |
| S0393 | PowerStallion | Malware | [PowerStallion](https://attack.mitre.org/software/S0393) modifies the MAC times of its local log files to match that of the victim's desktop.ini file.... |
| S0185 | SEASHARPEE | Malware | [SEASHARPEE](https://attack.mitre.org/software/S0185) can timestomp files on victims using a Web shell.(Citation: FireEye APT34 Webinar Dec 2017) |
| S0081 | Elise | Malware | [Elise](https://attack.mitre.org/software/S0081) performs timestomping of a CAB file it creates.(Citation: Lotus Blossom Jun 2015) |
| S9023 | HiddenFace | Malware | [HiddenFace](https://attack.mitre.org/software/S9023) can alter timestamps for directory content on targeted machines.(Citation: ESET HiddenFace 2024... |
| S0387 | KeyBoy | Malware | [KeyBoy](https://attack.mitre.org/software/S0387) time-stomped its DLL in order to evade detection.(Citation: PWC KeyBoys Feb 2017) |
| S0568 | EVILNUM | Malware | [EVILNUM](https://attack.mitre.org/software/S0568) has changed the creation date of files.(Citation: Prevailion EvilNum May 2020) |
References
- Asher Langton. (2022, December 9). A Custom Python Backdoor for VMWare ESXi Servers. Retrieved March 26, 2025.
- Carvey, H. (2013, July 23). HowTo: Determine/Detect the use of Anti-Forensics Techniques. Retrieved June 3, 2016.
- inversecos. (2022, August 4). Detecting Linux Anti-Forensics: Timestomping. Retrieved March 26, 2025.
- Lina Lau. (2022, April 28). Defence Evasion Technique: Timestomping Detection – NTFS Forensics. Retrieved September 30, 2024.
- Magnet Forensics. (2020, August 24). Expose Evidence of Timestomping with the NTFS Timestamp Mismatch Artifact. Retrieved June 20, 2024.
- Matthew Dunwoody. (2022, April 28). I have seen double-timestomping ITW, including by APT29. Stay sharp out there.. Retrieved June 20, 2024.
Frequently Asked Questions
What is T1070.006 (Timestomp)?
T1070.006 is a MITRE ATT&CK technique named 'Timestomp'. It belongs to the Stealth tactic(s). Adversaries may modify file time attributes to hide new files or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change t...
How can T1070.006 be detected?
Detection of T1070.006 (Timestomp) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1070.006?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1070.006?
Known threat groups using T1070.006 include: APT28, APT5, UNC3886, APT38, APT32, Kimsuky, APT29, Chimera.