---
title: "Prevent Timestomping in Launch Directories | Security Cookbook"
description: "Block touch command from rewriting timestamps in LaunchAgent/LaunchDaemon directories, exposing persistence attempts to timeline analysis."
doc_version: "1"
last_updated: "2026-05-22"
canonical: "https://northpole.security/cookbook/prevent-timestomping"
---
[Back](https://northpole.security/cookbook)

### Idea

One way that malicious software covers its tracks is by timestomping, or setting the timestamps of malicious files to match legitimate ones to make timeline analysis more difficult. As Jaron Bradley points out, this is commonly done when achieving persistence through the LaunchAgents and LaunchDaemons directories. Malware can use the built-in touch command with seldom-used flags, such as `-r`, which copies the timestamp from one file to another.

### Solutions

ExecutionBlock Touch Timestomping (Santa 2025.11 and earlier)

Prevent touch from modifying timestamps in Launch directories

Identifier

platform:com.apple.touch

Rule Type

SIGNINGID

Policy

CEL

CEL Expression

args.exists(arg, arg in \['-a', '-m', '-r', '-A', '-t'\])
  && args.join(" ").contains("Library/Launch")
  ? BLOCKLIST : ALLOWLIST

Copy

Custom Message

Modifying timestamps in Launch directories is not allowed

ExecutionBlock Touch Timestomping (Santa 2025.12+)

Enhanced rule that accounts for current working directory

Identifier

platform:com.apple.touch

Rule Type

SIGNINGID

Policy

CEL

CEL Expression

args.exists(arg, arg in \['-a', '-m', '-r', '-A', '-t'\])
  && ((args.join(" ").contains("Library/Launch")
       || cwd.contains("Library/Launch"))
       || (cwd.endsWith("Library") &&
           (args.join(" ").contains("./Launch") || args.join(" ").contains(" Launch"))))
  ? BLOCKLIST : ALLOWLIST

Copy

Custom Message

Modifying timestamps in Launch directories is not allowed

### Mitre Attack

Tactics

[Stealth](https://attack.mitre.org/tactics/TA0005/)

Techniques

[T1070.006: Timestomp](https://attack.mitre.org/techniques/T1070/006/)

### Tags

timestompingtouchlaunchagentlaunchdaemon

### Deployment Notes

In Santa versions 2025.12+ you can write a better rule that accounts for the current working directory (cwd). To harden this further, you could use a file access rule, which was demonstrated by Kristin Smith at BSides Canberra 2025.

### Resources

[Jaron Bradley: APT Activity on macOSTake a look](https://themittenmac.com/what-does-apt-activity-look-like-on-macos/)[Kristin Smith: Binary Naughty Nice ResourcesTake a look](https://www.linkedin.com/pulse/binary-naughty-nice-resources-kristin-smith-6jdac)[CEL CookbookTake a look](https://northpole.dev/cookbook/cel/)

## Sitemap

- [Home](https://northpole.security/index.md)
- [Workshop](https://northpole.security/workshop.md)
- [Santa](https://northpole.security/santa.md)
- [Features](https://northpole.security/features.md)
- [Cookbook](https://northpole.security/cookbook.md)
- [Docs](https://northpole.security/docs.md)
- [Blog](https://northpole.security/blog.md)
- [Glossary](https://northpole.security/glossary.md)
- [About](https://northpole.security/about.md)
- [Contact](https://northpole.security/contact.md)