From e4aae047651c10e6123463ca18906ed61b93736a Mon Sep 17 00:00:00 2001
From: "@" <@>
Date: Tue, 24 Nov 2020 12:57:03 -0600
Subject: [PATCH] powershell timestomp detection

---
 queries/windows/powershell_time_stomping.yml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 queries/windows/powershell_time_stomping.yml

diff --git a/queries/windows/powershell_time_stomping.yml b/queries/windows/powershell_time_stomping.yml
new file mode 100644
index 0000000..ce4f9e9
--- /dev/null
+++ b/queries/windows/powershell_time_stomping.yml
@@ -0,0 +1,17 @@
+title: PowerShell TimeStomping
+description: Detection of time stomping with PowerShell.
+author: keyboardcrunch
+date: 24/11/2020
+modified:
+mitre: 
+   tactic: Defense Evasion
+   technique: T1070
+   subtechnique: 006
+operating_system: windows
+query: SrcProcCmdScript In Contains Anycase ("[IO.File]::SetCreationTime","[IO.File]::SetLastAccessTime","[IO.File]::SetLastWriteTime")
+false_positives:
+   - 
+tags:
+   - 
+references:
+   - https://attack.mitre.org/techniques/T1070/006/