Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Техника Изменение временных меток
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Изменение временных меток
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Indicator Removal:  Изменение временных меток

ID Название
.001 Очистка журналов событий Windows
.002 Очистка системных журналов Linux или Mac
.003 Очистка истории команд
.004 Удаление файлов
.005 Удаление подключений к общим сетевым ресурсам
.006 Изменение временных меток
.007 Очистка истории сетевых соединений и конфигураций
.008 Очистка почтового ящика
.009 Удаление индикаторов компрометации
.010 Relocate Malware

Adversaries may modify file time attributes to hide new files or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder and blend malicious files with legitimate files. In Windows systems, both the `$STANDARD_INFORMATION` (`$SI`) and `$FILE_NAME` (`$FN`) attributes record times in a Master File Table (MFT) file.(Citation: Inversecos Timestomping 2022) `$SI` (dates/time stamps) is displayed to the end user, including in the File System view, while `$FN` is dealt with by the kernel.(Citation: Magnet Forensics) Modifying the `$SI` attribute is the most common method of timestomping because it can be modified at the user level using API calls. `$FN` timestomping, however, typically requires interacting with the system kernel or moving or renaming a file.(Citation: Inversecos Timestomping 2022) Adversaries modify timestamps on files so that they do not appear conspicuous to forensic investigators or file analysis tools. In order to evade detections that rely on identifying discrepancies between the `$SI` and `$FN` attributes, adversaries may also engage in “double timestomping” by modifying times on both attributes simultaneously.(Citation: Double Timestomping) In Linux systems and on ESXi servers, threat actors may attempt to perform timestomping using commands such as `touch -a -m -t ` (which sets access and modification times to a specific value) or `touch -r ` (which sets access and modification times to match those of another file).(Citation: Inversecos Linux Timestomping)(Citation: Juniper Networks ESXi Backdoor 2022) Timestomping may be used along with file name Masquerading to hide malware and tools.(Citation: WindowsIR Anti-Forensic Techniques)

ID: T1070.006
Относится к технике:  T1070
Тактика(-и): Defense Evasion
Платформы: ESXi, Linux, Windows, macOS
Источники данных: Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution
Версия: 1.2
Дата создания: 31 Jan 2020
Последнее изменение: 15 Apr 2025

Примеры процедур
Название Описание
BLINDINGCAN

BLINDINGCAN has modified file and directory timestamps.(Citation: US-CERT BLINDINGCAN Aug 2020)(Citation: NHS UK BLINDINGCAN Aug 2020)
Ninja

Ninja can change or create the last access or write times.(Citation: Kaspersky ToddyCat June 2022)
Stuxnet

Stuxnet extracts and writes driver files that match the times of other legitimate files.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)
SEASHARPEE

SEASHARPEE can timestomp files on victims using a Web shell.(Citation: FireEye APT34 Webinar Dec 2017)
TDTESS

After creating a new service for persistence, TDTESS sets the file creation time for the service to the creation time of the victim's legitimate svchost.exe file.(Citation: ClearSky Wilted Tulip July 2017)
Misdat

Many Misdat samples were programmed using Borland Delphi, which will mangle the default PE compile timestamp of a file.(Citation: Cylance Dust Storm)
Bankshot

Bankshot modifies the time of a file as specified by the control server.(Citation: McAfee Bankshot)
UPSTYLE

UPSTYLE restores timestamps to original values following modification.(Citation: Volexity UPSTYLE 2024)
Empire

Empire can timestomp any files or payloads placed on a target machine to help them blend in.(Citation: Github PowerShell Empire)
PingPull

PingPull has the ability to timestomp a file.(Citation: Unit 42 PingPull Jun 2022)
BlackByte 2.0 Ransomware

BlackByte 2.0 Ransomware can timestomp files for defense evasion and anti-forensics purposes.(Citation: Microsoft BlackByte 2023)
InvisiMole

InvisiMole samples were timestomped by the authors by setting the PE timestamps to all zero values. InvisiMole also has a built-in command to modify file times.(Citation: ESET InvisiMole June 2018)
CHIMNEYSWEEP

CHIMNEYSWEEP can time stomp its executable, previously dating it between 2010 to 2021.(Citation: Mandiant ROADSWEEP August 2022)
China Chopper

China Chopper's server component can change the timestamp of files.(Citation: FireEye Periscope March 2018)(Citation: Lee 2013)(Citation: NCSC Joint Report Public Tools)
KeyBoy

KeyBoy time-stomped its DLL in order to evade detection.(Citation: PWC KeyBoys Feb 2017)
POSHSPY

POSHSPY modifies timestamps of all downloaded executables to match a randomly selected file created prior to 2013.(Citation: FireEye POSHSPY April 2017)
MultiLayer Wiper

MultiLayer Wiper changes timestamps of overwritten files to either 1601.1.1 for NTFS filesystems, or 1980.1.1 for all other filesystems.(Citation: Unit42 Agrius 2023)
Elise

Elise performs timestomping of a CAB file it creates.(Citation: Lotus Blossom Jun 2015)
Gazer

For early Gazer versions, the compilation timestamp was faked.(Citation: ESET Gazer Aug 2017)
3PARA RAT

3PARA RAT has a command to set certain attributes such as creation/modification timestamps on files.(Citation: CrowdStrike Putter Panda)
EVILNUM

EVILNUM has changed the creation date of files.(Citation: Prevailion EvilNum May 2020)
TAINTEDSCRIBE

TAINTEDSCRIBE can change the timestamp of specified filenames.(Citation: CISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020)
Shamoon

Shamoon can change the modified time for files to evade forensic detection.(Citation: McAfee Shamoon December 2018)

BPFDoor

BPFDoor uses the `utimes()` function to change the executable's timestamp.(Citation: Sandfly BPFDoor 2022)

Attor

Attor has manipulated the time of last access to files and registry keys after they have been created or modified.(Citation: ESET Attor Oct 2019)
NightClub

NightClub can modify the Creation, Access, and Write timestamps for malicious DLLs to match those of the genuine Windows DLL user32.dll.(Citation: MoustachedBouncer ESET August 2023)
Derusbi

The Derusbi malware supports timestomping.(Citation: Novetta-Axiom)(Citation: Fidelis Turbo)
Kobalos

Kobalos can modify timestamps of replaced files, such as ssh with the added credential stealer or sshd used to deploy Kobalos.(Citation: ESET Kobalos Jan 2021)

OwaAuth

OwaAuth has a command to timestop a file or directory.(Citation: Dell TG-3390)
Cobalt Strike

Cobalt Strike will timestomp any files or payloads placed on a target machine to help them blend in.(Citation: cobaltstrike manual)
Cobalt Strike

Cobalt Strike can timestomp any files or payloads placed on a target machine to help them blend in.(Citation: cobaltstrike manual)(Citation: Cobalt Strike Manual 4.3 November 2020)
USBStealer

USBStealer sets the timestamps of its dropper files to the last-access and last-write timestamps of a standard Windows library chosen on the system.(Citation: ESET Sednit USBStealer 2014)
OSX_OCEANLOTUS.D

OSX_OCEANLOTUS.D can use the touch -t command to change timestamps.(Citation: Trend Micro MacOS Backdoor November 2020)(Citation: 20 macOS Common Tools and Techniques)
Cyclops Blink

Cyclops Blink has the ability to use the Linux API function `utime` to change the timestamps of modified firmware update images.(Citation: NCSC Cyclops Blink February 2022)
MacMa

MacMa has the capability to create and modify file timestamps.(Citation: ESET DazzleSpy Jan 2022)
Winnti for Windows

Winnti for Windows can set the timestamps for its worker and service components to match that of cmd.exe.(Citation: Novetta Winnti April 2015)
PowerStallion

PowerStallion modifies the MAC times of its local log files to match that of the victim's desktop.ini file.(Citation: ESET Turla PowerShell May 2019)
metaMain

metaMain can change the `CreationTime`, `LastAccessTime`, and `LastWriteTime` file time attributes when executed with `SYSTEM` privileges.(Citation: SentinelLabs Metador Technical Appendix Sept 2022)
Psylo

Psylo has a command to conduct timestomping by setting a specified file’s timestamps to match those of a system file in the System32 directory.(Citation: Scarlet Mimic Jan 2016)
Gelsemium

Gelsemium has the ability to perform timestomping of files on targeted systems.(Citation: ESET Gelsemium June 2021)
BitPaymer

BitPaymer can modify the timestamp of an executable so that it can be identified and restored by the decryption tool.(Citation: Crowdstrike Indrik November 2018)
FALLCHILL

FALLCHILL can modify file or directory timestamps.(Citation: US-CERT FALLCHILL Nov 2017)
APT28

APT28 has performed timestomping on victim files.(Citation: Crowdstrike DNC June 2016)
Lazarus Group

Several Lazarus Group malware families use timestomping, including modifying the last write timestamp of a specified Registry key to a random date, as well as copying the timestamp for legitimate .exe files (such as calc.exe or mspaint.exe) to its dropped files.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: Novetta Blockbuster Loaders)(Citation: McAfee GhostSecret)
APT29

APT29 has used timestomping to alter the Standard Information timestamps on their web shells to match other files in the same directory.(Citation: Mandiant APT29 Eye Spy Email Nov 22)
APT29

APT29 modified timestamps of backdoors to match legitimate Windows files.(Citation: Microsoft Deep Dive Solorigate January 2021)
APT38

APT38 has modified data timestamps to mimic files that are in the same folder on a compromised host.(Citation: CISA AA20-239A BeagleBoyz August 2020)
Rocke

Rocke has changed the time stamp of certain files.(Citation: Anomali Rocke March 2019)

APT32

APT32 has used scheduled task raw XML with a backdated timestamp of June 2, 2016. The group has also set the creation time of the files dropped by the second stage of the exploit to match the creation time of kernel32.dll. Additionally, APT32 has used a random value to modify the timestamp of the file storing the clientID.(Citation: FireEye APT32 May 2017)(Citation: ESET OceanLotus Mar 2019)(Citation: ESET OceanLotus macOS April 2019)
TEMP.Veles

TEMP.Veles used timestomping to modify the $STANDARD_INFORMATION attribute on tools.(Citation: FireEye TRITON 2019)
Chimera

Chimera has used a Windows version of the Linux touch command to modify the date and time stamp on DLLs.(Citation: NCC Group Chimera January 2021)
Kimsuky

Kimsuky has manipulated timestamps for creation or compilation dates to defeat anti-forensics.(Citation: Cybereason Kimsuky November 2020)
APT5

APT5 has modified file timestamps.(Citation: Mandiant Pulse Secure Update May 2021)
UNC2452

UNC2452 modified timestamps of backdoors to match legitimate Windows files.(Citation: Microsoft Deep Dive Solorigate January 2021)

Контрмеры
Контрмера Описание
Timestomp Mitigation

Mitigation of timestomping specifically is likely difficult. Efforts should be focused on preventing potentially malicious software from running. Identify and block potentially malicious software that may contain functionality to perform timestomping by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Обнаружение

Forensic techniques exist to detect aspects of files that have had their timestamps modified. (Citation: WindowsIR Anti-Forensic Techniques) It may be possible to detect timestomping using file modification monitoring that collects information on file handle opens and can compare timestamp values.

Ссылки

  1. US-CERT. (2017, November 22). Alert (TA17-318A): HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL. Retrieved December 7, 2017.
  2. Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
  3. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved November 17, 2024.
  4. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  5. Matthew Dunwoody. (2022, April 28). I have seen double-timestomping ITW, including by APT29. Stay sharp out there.. Retrieved June 20, 2024.
  6. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  7. Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
  8. Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024.
  9. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
  10. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  11. Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024.
  12. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  13. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  14. Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.
  15. Volexity Threat Research. (2024, April 12). Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400). Retrieved November 20, 2024.
  16. Lin, M. et al. (2024, February 27). Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts. Retrieved March 1, 2024.
  17. Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.
  18. NHS Digital . (2020, August 20). BLINDINGCAN Remote Access Trojan. Retrieved August 20, 2020.
  19. Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.
  20. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  21. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024.
  22. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  23. Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019.
  24. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.
  25. Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015.
  26. Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023.
  27. Asher Langton. (2022, December 9). A Custom Python Backdoor for VMWare ESXi Servers. Retrieved March 26, 2025.
  28. The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.
  29. Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016.
  30. Or Chechik, Tom Fakterman, Daniel Frank & Assaf Dahan. (2023, November 6). Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors. Retrieved May 22, 2024.
  31. Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
  32. Carvey, H. (2013, July 23). HowTo: Determine/Detect the use of Anti-Forensics Techniques. Retrieved June 3, 2016.
  33. Microsoft Incident Response. (2023, July 6). The five-day job: A BlackByte ransomware intrusion case study. Retrieved December 16, 2024.
  34. Unit 42. (2022, June 13). GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool. Retrieved August 7, 2022.
  35. Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017.
  36. NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022.
  37. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
  38. Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.
  39. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
  40. M.Leveille, M., Sanmillan, I. (2021, January). A WILD KOBALOS APPEARS Tricksy Linux malware goes after HPCs. Retrieved August 24, 2021.
  41. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
  42. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
  43. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.
  44. Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019.
  45. Vishavjit Singh. (2023, June 22). TIMESTOMPING EXPLAINED ON API LEVEL. Retrieved June 20, 2024.
  46. ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
  47. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  48. Magisa, L. (2020, November 27). New MacOS Backdoor Connected to OceanLotus Surfaces. Retrieved December 2, 2020.
  49. Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.
  50. Magnet Forensics. (2020, August 24). Expose Evidence of Timestomping with the NTFS Timestamp Mismatch Artifact. Retrieved June 20, 2024.
  51. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  52. M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022.
  53. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  54. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
  55. The Sandfly Security Team. (2022, May 11). BPFDoor - An Evasive Linux Backdoor Technical Analysis. Retrieved September 29, 2023.
  56. SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023.
  57. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  58. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved November 17, 2024.
  59. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
  60. Lina Lau. (2022, April 28). Defence Evasion Technique: Timestomping Detection – NTFS Forensics. Retrieved September 30, 2024.
  61. Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024.
  62. USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021.
  63. Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
  64. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.
  65. DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021.
  66. US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.
  67. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.
  68. inversecos. (2022, August 4). Detecting Linux Anti-Forensics: Timestomping. Retrieved March 26, 2025.
  69. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
  70. Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved November 17, 2024.
  71. Mundo, A., Roccia, T., Saavedra-Morales, J., Beek, C.. (2018, December 14). Shamoon Returns to Wipe Systems in Middle East, Europe . Retrieved May 29, 2020.
  72. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  73. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.