Timestomp

Information

• Name: Timestomp

• ID: T1070.006

• Tactics: TA0005

• Technique: T1070

Introduction

Timestomp (T1070.006) is a sub-technique within the MITRE ATT&CK framework categorized under "Indicator Removal on Host" (T1070). It involves the manipulation or modification of file timestamps to obscure attacker activities, making forensic analysis and incident response more challenging. Attackers typically use timestomping to conceal file creation, modification, or access dates, hindering accurate timeline reconstruction and detection.

Deep Dive Into Technique

Timestomping involves altering file timestamps—such as creation, modification, access, and metadata change times—to obscure evidence of malicious activity. Attackers utilize various methods and tools to execute this technique, including:

• Native OS Utilities:

  • Windows:

    • powershell: Attackers can leverage PowerShell commands or scripts to modify timestamps.

    • copy and move commands: File operations may alter timestamps indirectly.

  • Linux/Unix:

    • touch: Commonly used to alter access and modification timestamps.

    • stat and date: Used to verify and manipulate file timestamps.

• Third-Party or Custom Tools:

  • Metasploit Framework's timestomp module: Specifically designed to alter timestamps on Windows systems.

  • SetMACE: A standalone utility capable of modifying file timestamps on NTFS file systems.

  • Cobalt Strike's built-in timestomp functionality: Integrated into attacker workflow to mask persistence and lateral movement.

• Underlying Mechanisms:

  • Windows systems store timestamps in the NTFS Master File Table (MFT), making them susceptible to modification through direct MFT manipulation or system API calls.

  • Unix-based systems store timestamps in the inode structure, which can be modified using system calls or utilities that interact directly with file metadata.

• Procedures and Execution:

  • Attackers typically execute timestomping after creating or modifying malicious files, malware payloads, or scripts.

  • They may copy timestamps from legitimate system files to malicious files, blending malicious artifacts with normal system activity.

  • Automated scripts or post-exploitation frameworks frequently integrate timestomping to streamline attacker workflows and evade detection.

When this Technique is Usually Used

Attackers commonly employ timestomping across multiple stages of an attack lifecycle, including:

• Initial Access and Execution:

  • Immediately after dropping malicious payloads or scripts onto the compromised host, attackers may alter timestamps to blend newly introduced files with legitimate system files.

• Persistence and Privilege Escalation:

  • Files used for maintaining persistent access, such as scheduled tasks, startup scripts, or registry entries, may have timestamps modified to hide their recent creation or modification.

• Defense Evasion:

  • Timestomping is primarily a defense evasion technique, used to obstruct forensic investigations by disrupting the chronological reconstruction of attacker actions.

• Exfiltration and Cleanup:

  • After data exfiltration or before leaving the compromised host, attackers may alter timestamps of files and logs to conceal their activity and complicate forensic investigations.

How this Technique is Usually Detected

Detection of timestomping involves multiple methods, tools, and indicators of compromise (IoCs):

• Forensic Analysis Tools:

  • Tools such as EnCase, FTK, Autopsy, and Sleuth Kit can detect inconsistencies in file timestamps or metadata anomalies.

  • Timeline analysis tools (e.g., Plaso, log2timeline) help identify suspicious timestamp anomalies and events out of chronological order.

• Endpoint Detection and Response (EDR) Solutions:

  • EDR tools like CrowdStrike Falcon, Carbon Black, Microsoft Defender for Endpoint, and SentinelOne can detect suspicious API calls or file operations indicative of timestomping.

  • Behavioral detection capabilities in EDR platforms can flag unusual timestamp modifications or patterns.

• File System Analysis:

  • Comparing timestamps across multiple sources (e.g., NTFS MFT records, Windows Event Logs, Prefetch files, registry hives) can uncover discrepancies indicating timestomping.

  • Analysis of NTFS journaling and USN (Update Sequence Number) journal entries can reveal suspicious timestamp manipulations.

• Indicators of Compromise (IoCs):

  • Files with timestamps earlier than OS installation date or significantly inconsistent timestamps.

  • Files with identical timestamps to known legitimate system files.

  • Log entries indicating usage of known timestomp tools or suspicious commands (e.g., PowerShell scripts invoking timestamp modification commands).

Why it is Important to Detect This Technique

Early detection of timestomping is crucial due to its significant implications on forensic investigations, incident response, and overall security posture:

• Forensic Challenges:

  • Timestomping complicates the accurate reconstruction of incident timelines, making it difficult to determine the scope, duration, and impact of an attack.

  • Without reliable timestamps, incident responders may overlook critical evidence or misinterpret attacker actions.

• Incident Response Delays:

  • Obfuscation of timestamps can lead to delays in identifying compromised systems, allowing attackers extended time to maintain persistence, escalate privileges, or exfiltrate sensitive data.

• Increased Attacker Dwell Time:

  • Successful timestomping contributes to increased attacker dwell time, providing attackers more opportunities to conduct lateral movement, data exfiltration, or additional malicious activities.

• Compliance and Legal Implications:

  • Organizations subject to regulatory compliance or legal investigations rely heavily on accurate forensic evidence. Timestomping can undermine evidence integrity, complicating compliance audits or legal proceedings.

• Proactive Defense:

  • Detecting timestomping can serve as an early indicator of compromise, allowing security teams to proactively investigate and remediate before significant damage occurs.

Examples

Real-world examples of timestomping demonstrate its use across various attack scenarios, tools employed, and impacts:

• APT29 (Cozy Bear):

  • Utilized timestomping techniques to modify timestamps on malicious files, making forensic analysis difficult and hindering incident response efforts.

  • Leveraged custom scripts and built-in Windows commands to obscure timestamps and evade detection during espionage campaigns.

• FIN7 Threat Group:

  • Frequently employed timestomping to mask the creation and modification times of malware payloads used in financial sector attacks.

  • Used publicly available tools such as Metasploit's timestomp module and custom PowerShell scripts to alter timestamps.

• Operation Aurora (Google Attack):

  • Attackers modified timestamps of malware files to blend with legitimate system files, complicating forensic analysis and delaying detection.

  • Utilized built-in Windows utilities and custom malware to manipulate file timestamps during the intrusion.

• Carbanak Group:

  • Employed timestomping to conceal malicious scripts and executables on compromised banking systems, extending dwell time and facilitating large-scale financial theft.

  • Used both custom-developed timestomping utilities and publicly available tools to evade detection and forensic analysis.

• Ransomware Operations:

  • Ransomware operators frequently leverage timestomping to hide malicious payloads and scripts, delaying detection and response efforts.

  • Observed in ransomware families such as Ryuk, Conti, and LockBit, where attackers extensively modified timestamps to evade endpoint detection and forensic analysis.

These examples illustrate the widespread use of timestomping by threat actors to evade detection, complicate forensic analysis, and extend operational effectiveness during cyberattacks.