TIARAS - T1099: Timestomp

MITRE ATT&CK Technique

Defense Evasion T1099

Description

Adversaries may take actions to hide the deployment of new, or modification of existing files to obfuscate their activities. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools. Timestomping may be used along with file name [Masquerading](https://attack.mitre.org/techniques/T1036) to hide malware and tools. (Citation: WindowsIR Anti-Forensic Techniques)

Supported Platforms

Linux Windows macOS

Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data

{'created': '2017-05-31T21:31:12.675Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Adversaries may take actions to hide the deployment of new, '
                'or modification of existing files to obfuscate their '
                'activities. Timestomping is a technique that modifies the '
                'timestamps of a file (the modify, access, create, and change '
                'times), often to mimic files that are in the same folder. '
                'This is done, for example, on files that have been modified '
                'or created by the adversary so that they do not appear '
                'conspicuous to forensic investigators or file analysis tools. '
                'Timestomping may be used along with file name '
                '[Masquerading](https://attack.mitre.org/techniques/T1036) to '
                'hide malware and tools. (Citation: WindowsIR Anti-Forensic '
                'Techniques)',
 'external_references': [{'external_id': 'T1099',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1099'},
                         {'description': 'Carvey, H. (2013, July 23). HowTo: '
                                         'Determine/Detect the use of '
                                         'Anti-Forensics Techniques. Retrieved '
                                         'June 3, 2016.',
                          'source_name': 'WindowsIR Anti-Forensic Techniques',
                          'url': 'http://windowsir.blogspot.com/2013/07/howto-determinedetect-use-of-anti.html'}],
 'id': 'attack-pattern--128c55d3-aeba-469f-bd3e-c8996ab4112a',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'defense-evasion'}],
 'modified': '2025-10-24T17:48:25.923Z',
 'name': 'Timestomp',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': True,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Romain Dumont, ESET'],
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': False,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['Linux', 'Windows', 'macOS'],
 'x_mitre_version': '1.2'}

Quick Actions

Edit TTP Update from Web

Back to TTPs

Dashboard About