Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.
shlinux, macosSet a file's access timestamp
Stomps on the access timestamp of a file
touch -a -t 197001010000.00 #{target_filename}
shlinux, macosSet a file's modification timestamp
Stomps on the modification timestamp of a file
touch -m -t 197001010000.00 #{target_filename}
shelevatedlinux, macosSet a file's creation timestamp
Stomps on the create timestamp of a file
Setting the creation timestamp requires changing the system clock and reverting.
Sudo or root privileges are required to change date. Use with caution.
NOW=$(date +%m%d%H%M%Y)
date 010100001971
touch #{target_filename}
date "$NOW"
stat #{target_filename}
shlinux, macosModify file timestamps using reference file
Modifies the `modify` and `access` timestamps using the timestamps of a specified reference file.
This technique was used by the threat actor Rocke during the compromise of Linux web servers.
touch #{target_file_path}
touch -acmr #{reference_file_path} #{target_file_path}
powershellwindowsWindows - Modify file creation timestamp with PowerShell
Modifies the file creation timestamp of a specified file. This technique was seen in use by the Stitch RAT.
To verify execution, use File Explorer to view the Properties of the file and observe that the Created time is the year 1970.
Get-ChildItem "#{file_path}" | % { $_.CreationTime = "#{target_date_time}" }
powershellwindowsWindows - Modify file last modified timestamp with PowerShell
Modifies the file last modified timestamp of a specified file. This technique was seen in use by the Stitch RAT.
To verify execution, use File Explorer to view the Properties of the file and observe that the Modified time is the year 1970.
Get-ChildItem "#{file_path}" | % { $_.LastWriteTime = "#{target_date_time}" }
powershellwindowsWindows - Modify file last access timestamp with PowerShell
Modifies the last access timestamp of a specified file. This technique was seen in use by the Stitch RAT.
To verify execution, use File Explorer to view the Properties of the file and observe that the Accessed time is the year 1970.
Get-ChildItem "#{file_path}" | % { $_.LastAccessTime = "#{target_date_time}" }
powershellwindowsWindows - Timestomp a File
Timestomp kxwn.lock.
Successful execution will include the placement of kxwn.lock in #{file_path} and execution of timestomp.ps1 to modify the time of the .lock file.
[Mitre ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/master/adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/defensive-evasion/4a2ad84e-a93a-4b2e-b1f0-c354d6a41278.yml)
import-module "#{file_path}\timestomp.ps1"
timestomp -dest "#{file_path}\kxwn.lock"
shmacosMacOS - Timestomp Date Modified
Stomps on the modification timestamp of a file using MacOS's SetFile utility
SetFile -m #{target_date} #{target_filename}
powershellelevatedwindowsEvent Log Manipulations- Time slipping via Powershell
Changes the system time on the computer to a time that you specify. It involves altering the system’s clock or adjusting the dates of files, affecting timestamp integrity within Event Logs. This technique can disrupt the sequence of logged events, complicating incident analysis and forensics.
Reference -
https://detect.fyi/event-log-manipulations-1-time-slipping-55bf95631c40
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/set-date?view=powershell-7.4
try{
Set-Date -Date (Get-Date).AddDays(#{days_to_modify})
Add-Content "$env:APPDATA\slipDays.bak" #{days_to_modify}
}
catch {exit 1}