This note documents detection patterns related to Timestomping within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Sysmon | 2 | File creation time changed | Critical | Primary timestomp detection event. |
| Sysmon | 11 | File create | Critical | File appears before timestamp alteration. |
| Security | 4663 | File access | High | File touched during timestomp workflow. |
| Security | 4688 | Process creation | Critical | Detects timestomp tooling. |
| Sysmon | 1 | Process creation | Critical | Best lineage source for file tampering chain. |
| Sysmon | 23 | File delete | Medium | Cleanup after timestomp. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Timestamp older than surrounding MFT activity | Timeline inconsistency | Critical | Core timestomp clue. |
| $STANDARD_INFORMATION vs $FILE_NAME mismatch | NTFS timestamp divergence | Critical | High-confidence forensic signal. |
| File created then immediately timestamp altered | Strong malicious pattern | Critical | Classic attacker behavior. |
| Tool writes to payload after drop | Strong sequence | Critical | High-value chain. |
| Multiple files share same fake time | Bulk timestomp | High | Campaign clue. |
| Temp/AppData payload with old timestamp | Strong anomaly | High | Suspicious artifact |
Common Tools
| Tool | Usage |
|---|---|
| PowerShell | Set file timestamps |
| timestomp.exe | Metasploit style timestomp |
| cmd.exe | Copy timestamp tricks |
| custom malware | API timestamp alteration |
Relevant Artifacts
- Sysmon Event IDs 2, 11, 1, 23
- Security Event IDs 4663, 4688
- MFT:
$STANDARD_INFORMATION$FILE_NAME
- USN Journal
- Prefetch for timestomp tool
- File metadata timeline
MITRE ATT&CK References
- T1070.006 Timestomp
Decision Tree
-
Which file altered?
- Payload
- Script
- DLL
-
Which timestamp changed?
- Created
- Modified
- Accessed
-
MFT mismatch present?
- Yes
- No
-
Adjacent activity?
- Drop
- Execution
- Archive
-
Expand:
- USN
- MFT timeline
- Parent process
-
Scope:
- Single file
- Bulk timestomp
- Campaign behavior
Example Detection Templates
KQL
Sysmon
| where EventID == 2
| project TimeGenerated, Computer, TargetFilename, CreationUtcTime, PreviousCreationUtcTime
SecurityEvent
| where EventID == 4688
| where CommandLine has_any ("timestomp","SetCreationTime")
| project TimeGenerated, Computer, CommandLine
EQL
file where event.code == "2"
sequence by host.name with maxspan=5m
[ file where event.code == "11" ]
[ file where event.code == "2" ]
Sigma
title: Timestomping Detection
id: 4a8c2f16-timestomp
status: experimental
description: Detects file creation time modification
references:
- https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 2
condition: selection
fields:
- TargetFilename
- CreationUtcTime
- PreviousCreationUtcTime
falsepositives:
- Rare legitimate software
level: high
tags:
- attack.defense_evasion
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Enable Sysmon 2 | Critical visibility | Critical | Primary signal |
| Compare MFT attributes | High-confidence validation | Critical | Strong DFIR method |
| Preserve USN Journal | Catch hidden edits | High | Valuable timeline |
| Alert on drop + timestomp | Strong sequence | Critical | High-confidence triage |
| File timeline baselining | Detect anomalies | High | Valuable enrichment |