title: Powershell Timestomp
author: frack113
date: 2021/08/03
description: Adversaries may modify file time attributes to hide new or changes to
    existing files. Timestomping is a technique that modifies the timestamps of a
    file (the modify, access, create, and change times), often to mimic files that
    are in the same folder.
detection:
    SELECTION_1:
        ScriptBlockText: '*.CreationTime =*'
    SELECTION_2:
        ScriptBlockText: '*.LastWriteTime =*'
    SELECTION_3:
        ScriptBlockText: '*.LastAccessTime =*'
    SELECTION_4:
        ScriptBlockText: '*[IO.File]::SetCreationTime*'
    SELECTION_5:
        ScriptBlockText: '*[IO.File]::SetLastAccessTime*'
    SELECTION_6:
        ScriptBlockText: '*[IO.File]::SetLastWriteTime*'
    condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
        or SELECTION_6)
falsepositives:
- legitime admin script
id: c6438007-e081-42ce-9483-b067fbef33c3
level: medium
logsource:
    category: ps_script
    definition: EnableScriptBlockLogging must be set to enable
    product: windows
modified: 2021/10/16
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md
- https://www.offensive-security.com/metasploit-unleashed/timestomp/
status: experimental
tags:
- attack.defense_evasion
- attack.t1070.006
yml_filename: powershell_timestomp.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script