Potential Timestomping of Executable Files on Windows

This detection identifies attempts to modify the timestamps of executable files within sensitive directories on Windows systems, a technique known as timestomping. Timestomping is employed by adversaries to disguise malicious files as legitimate system components, making them harder to detect. The rule focuses on changes to file creation timestamps in directories like System32, SysWOW64, ProgramData, and common startup locations. It excludes known legitimate processes to reduce false positives. The goal of this technique is to evade detection and maintain persistence within the compromised system. This behavior is typically associated with post-exploitation activity after initial access.

Attack Chain

1. An attacker gains initial access to a Windows system through various means (e.g., exploiting a vulnerability).
2. The attacker uploads a malicious executable (e.g., a backdoor or malware dropper) to a location on the filesystem.
3. The attacker uses a tool or script (e.g., PowerShell, built-in Windows utilities) to modify the creation timestamp of the malicious executable.
4. The timestamp is set to match that of a legitimate system file in the same directory, such as a DLL in C:\Windows\System32.
5. The attacker may then configure persistence for the timestomped executable, such as creating a registry entry in HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
6. The malicious executable remains dormant, blending in with other legitimate files and evading initial detection.
7. The attacker triggers the execution of the timestomped executable, either manually or through scheduled tasks, registry entries or other persistence mechanisms.
8. The malicious executable performs its intended function, such as establishing a reverse shell or deploying ransomware.

Impact

Successful timestomping can allow attackers to maintain a persistent presence on a compromised system while evading detection by security tools and administrators. This can lead to prolonged data theft, system compromise, and other malicious activities. The technique is often used in conjunction with other evasion methods to further obscure malicious activity. A successful attack could lead to data exfiltration, ransomware deployment, or long-term espionage.

Recommendation

• Enable Sysmon Event ID 2 (File creation time changed) logging to capture timestomping activity as described in the setup instructions.
• Deploy the Sigma rule “Potential Timestomp in Executable Files” to your SIEM to detect suspicious file timestamp modifications.
• Investigate any alerts generated by the Sigma rule, focusing on processes modifying file creation times in sensitive system directories.
• Review the process ancestry of processes modifying file timestamps to identify potentially malicious parent processes.
• Monitor for execution of files with recently modified timestamps using process creation logs.