AI agents: see /llms.txt for a full index of this site, or /llms-full.txt for concatenated documentation.

Back
Persistence PreventionExecutionUpdated Dec 4, 2025

Prevent Timestomping in Launch Directories

Block touch command from rewriting timestamps in LaunchAgent/LaunchDaemon directories, exposing persistence attempts to timeline analysis.

Idea

One way that malicious software covers its tracks is by timestomping, or setting the timestamps of malicious files to match legitimate ones to make timeline analysis more difficult. As Jaron Bradley points out, this is commonly done when achieving persistence through the LaunchAgents and LaunchDaemons directories. Malware can use the built-in touch command with seldom-used flags, such as -r, which copies the timestamp from one file to another.

Solutions

ExecutionBlock Touch Timestomping (Santa 2025.11 and earlier)
Prevent touch from modifying timestamps in Launch directories
Identifier
Rule Type
Policy
CEL Expression
Custom Message
ExecutionBlock Touch Timestomping (Santa 2025.12+)
Enhanced rule that accounts for current working directory
Identifier
Rule Type
Policy
CEL Expression
Custom Message

Mitre Attack

Tactics

Stealth

Tags

timestompingtouchlaunchagentlaunchdaemon

Deployment Notes

In Santa versions 2025.12+ you can write a better rule that accounts for the current working directory (cwd). To harden this further, you could use a file access rule, which was demonstrated by Kristin Smith at BSides Canberra 2025.

Resources

Jaron Bradley: APT Activity on macOSTake a lookKristin Smith: Binary Naughty Nice ResourcesTake a lookCEL CookbookTake a look