Overview

The timestomp command manipulates the timestamps of file system entries (both files and directories) so that defenders cannot easily leverage timeline analysis to detect malicious indicators of compromise.

Arguments

• Path: A path to a file or directory to timestomp.
• Recurse: Recursively timestomp all files and folders in the specified directory to include the top level directory.
• Sync: Move the file to synchronize NTFS timestamps with our stomped value.
• Source: A file or directory whose timestamps will be copied to the target file.
• Timestamp: The exact time to change to.

Dependencies

• Common

Operating Systems

• Windows
• Linux
• Mac

Examples

Example 1: Basic Mirror

This example timestomps a single file. By default, the cmdlet will randomly select a random DLL from C:\Windows\System32\ to mirror it’s timestamp.

timestomp 'C:\Windows\Temp\payload.exe'

Example 1: Explicit Directory with Recursion

The -TimeStamp parameter allows the operator to specify an explicit DateTime value. In this case, a folder is being timestomped. The -Recurse parameter will timestomp the target file system entry and any files and directories underneath that directory. The -Recurse parameter is ignored if the argument is a file.

timestomp 'C:\Users\Administrator\AppData\Local\Temp\foo\' -TimeStamp '21 October 2023 8:37 AM' -Recurse