File Creation Date Changed to Another Year

Original Analytic

title: File Creation Date Changed to Another Year
id: 558eebe5-f2ba-4104-b339-36f7902bcc1a
status: test
description: |
    Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system.
    Note that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.
references:
    - https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html
author: frack113, Florian Roth (Nextron Systems)
date: 2022-08-12
modified: 2022-10-25
tags:
    - attack.t1070.006
    - attack.defense-evasion
logsource:
    category: file_change
    product: windows
detection:
    selection1:
        PreviousCreationUtcTime|startswith: '2022'
    filter1:
        CreationUtcTime|startswith: '2022'
    selection2:
        PreviousCreationUtcTime|startswith: '202'
    filter2:
        CreationUtcTime|startswith: '202'
    gen_filter_updates:
        - Image:
            - 'C:\Windows\system32\ProvTool.exe'
            - 'C:\Windows\System32\usocoreworker.exe'
            - 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
        - TargetFilename|startswith: 'C:\ProgramData\USOPrivate\UpdateStore\'
        - TargetFilename|endswith:
            - '.tmp'
            - '.temp'
    gen_filter_tiworker:
        Image|startswith: 'C:\WINDOWS\'
        Image|endswith: '\TiWorker.exe'
        TargetFilename|endswith: '.cab'
    condition: (( selection1 and not filter1 ) or ( selection2 and not filter2 )) and not 1 of gen_filter*
falsepositives:
    - Changes made to or by the local NTP service
level: high

Analytic Source: SigmaHQ

Original Analytic Scoring

Application (A)

User-Mode (U)

Kernel-Mode (K)

Core to (Sub-) Technique (5)

Core to Part of (Sub-) Technique (4)
Event ID: 4656
selection1: PreviousCreationUtcTime|startswith: ‘2022’
filter1: CreationUtcTime|startswith: ‘2022’
selection2: PreviousCreationUtcTime|startswith: ‘202’
filter2: CreationUtcTime|startswith: ‘202’

Core to Pre-Existing Tool or Inside Boundary (3)
Filter
Image:
- ‘C:Windowssystem32ProvTool.exe’
- ‘C:WindowsImmersiveControlPanelSystemSettings.exe’

Core to Adversary-Brought Tool or Outside Boundary (2)

Ephemeral (1)
Filter
TargetFilename|startswith: ‘C:ProgramDataUSOPrivateUpdateStore'
TargetFilename|endswith:
- ‘.tmp’
- ‘.temp’
gen_filter_tiworker:
Image|startswith: ‘C:\WINDOWS\’
Image|endswith: ‘\TiWorker.exe’
TargetFilename|endswith: ‘.cab’

This analytic aims to identify changes to a file creation date. We are scoring this analytic based on what it attempts to do, even though the value should be updated to reflect the correct year. Since it targets PreviousCreationUtcTime and CreationUtcTime, which are both accurate fields, this observable was given a score of Level 4: Core to Some Implementations of (Sub-)Technique because it is part of the time-stomping sub-technique and will not detect all implementations. Moving on to the filters, the Image field, which is often an ephemeral value, is scored at a Level 3: Core to Pre-Existing Tools or Inside Boundary because it is a part of the windows core processes and is specific and defined file values within the OS. The next filters that target filenames are Level 1: Ephemeral Values because an adversary can change them very easily. The last grouping of filters, gen_filter_tiworker, is also an ephemeral value because these values are also easy to change. Without including the filter, the analytic would have a score of 4K, but once the scores are combined using Boolean logic, the total score would be a 1K.