Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0591: Cross-Platform Behavioral Detection of File Timestomping via Metadata Tampering

DET0591 is a detection strategy for finding file timestamp manipulation associated with ATT&CK technique T1070.006, Timestomp. The business significance is...

EnterpriseDET0591Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0591 is a detection strategy for finding file timestamp manipulation associated with ATT&CK technique T1070.006, Timestomp. The business significance is that altered file times can make malicious files or unauthorized changes look older, routine, or aligned with neighboring legitimate files, complicating incident scoping, forensic timelines, audit reconstruction, and recovery decisions.

Executive priority

Prioritize this as an evidence-integrity and incident-readiness concern. If teams cannot reliably identify timestamp tampering across relevant systems, investigations may underestimate dwell time, miss changed files, or produce weaker audit and legal evidence. Leaders should ask whether SOC and incident response teams can preserve and compare file metadata, especially on Windows, Linux, macOS, and ESXi environments referenced by the related ATT&CK technique.

Technical view

This detection strategy is tied to T1070.006 Timestomp, which involves modifying file time attributes such as modify, access, create, and change times to blend files into a directory or obscure changes. Because the official detection-strategy object provides no detection text or platform list, validation should be driven by the related technique context: confirm whether endpoint, filesystem, and forensic telemetry can expose suspicious timestamp inconsistencies, unusual metadata changes, or mismatches between user-visible timestamps and lower-level filesystem records where applicable, such as Windows MFT $STANDARD_INFORMATION and $FILE_NAME attributes.

Likely telemetry

  • Endpoint file metadata and file modification events
  • Filesystem audit records where available
  • Windows NTFS/MFT forensic metadata, including $STANDARD_INFORMATION and $FILE_NAME timestamp context
  • Linux, macOS, and ESXi file timestamp and integrity evidence where locally collected
  • File integrity monitoring or EDR records showing file creation, modification, and metadata changes

Detection direction

  • Validate that detections do not rely only on a single user-visible timestamp field; compare multiple metadata sources when the filesystem supports it.
  • Tune for suspicious timestamp patterns such as newly observed files with timestamps matching neighboring files or inconsistent creation/change/modify/access timelines.
  • Use relationship context to focus on stealth behavior rather than malware family or attribution; this object does not provide actor-specific indicators.
  • Account for false positives from legitimate administrative tools, software deployment, backup/restore operations, file migration, and forensic handling that may alter timestamps.
  • Confirm coverage separately by operating environment because the detection-strategy object itself does not specify platforms, while the related technique lists ESXi, Linux, macOS, and Windows.

Mitigation priorities

  • Preserve high-quality endpoint and filesystem telemetry before an incident so responders can reconstruct file timelines.
  • Harden and monitor administrative access that can modify files or metadata, using least privilege and change-control expectations.
  • Use file integrity monitoring or comparable controls on high-value directories, servers, and workloads where timestamp integrity matters for recovery or compliance.
  • Ensure incident response procedures include metadata preservation and forensic collection practices that avoid overwriting timeline evidence.
  • Document detection assumptions and evidence sources for audit readiness, since timestamp tampering can weaken confidence in file-based investigation records.
Analyst notes and limits

The supplied ATT&CK detection-strategy object is sparse: it has a name and an external reference but no official description, detection text, platforms, or tactics. The practical interpretation comes from its relationship to T1070.006 Timestomp, whose ATT&CK context identifies stealth behavior across ESXi, Linux, macOS, and Windows and describes manipulation of file time attributes.

This take does not assert active exploitation, attribution, customer exposure, or guaranteed detection. Local validation is required to determine which filesystems, endpoint agents, audit policies, and forensic processes can actually collect and compare the necessary metadata.

Official MITRE ATT&CK definition

Cross-Platform Behavioral Detection of File Timestomping via Metadata Tampering

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1070.006 Timestomp Sub-technique This object detects Timestomp.
Relationship explorer

All related ATT&CK context

detects · Technique T1070.006: Timestomp Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
76078ad78b0d875e...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 76078ad78b0d…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0591
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use