# Timestomping

> Timestomping refers to **the alteration of timestamps of a file on an NTFS file system**. This tactic is commonly utilized by threat actors to hide their tools on the victim's file system.

### Timestomping Windows

One of the easiest ways to Timestomp on Windows is to use [nTimetools](https://github.com/limbenjamin/nTimetools):

```bash
# Check the original time
.\nTimeView C:\program.exe

# Forge a creation time/date
.\nTimeStomp.exe -F C:\program.exe -A "2022-09-17 12:18:43.0000001" -C "2022-09-17 12:18:43.0000001"
```

### Timestomping Linux

We can simply use the `touch` command in Linux to modify timestamps:

```bash
# Generic usage
touch -a -t 197001010000.00 $targetfile

# Match a referenced files timestamps
touch -acmr $referencedfile $targetfile
```

### References

{% embed url="<https://attack.mitre.org/techniques/T1070/006/>" %}

{% embed url="<https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md>" %}