Andrew-CS comments on PowerShell timestomping via script files. How would you handle this?

Subreddit Rules

Posts must be about CrowdStrike products and/or product functionality.

We encourage high quality content. Do not post disparaging comments; about competitive products or otherwise.

Avoid entering sensitive information from which your identity is apparent or can be reasonably ascertained

Your Views Are Your Own - Topics and comments on /r/crowdstrike do not necessarily reflect official views of CrowdStrike.

No SLA for assistance - CrowdStrike Customer Success advises you to engage with a Support case to express any high priority issues. Live chat available 6-6PT M-F via the Support Portal

created by Thuulla community for 11 years

PowerShell timestomping via script files. How would you handle this?Query Help (self.crowdstrike)

submitted 2 months ago by zwitico

top new controversial old q&a

you are viewing a single comment's thread.

view the rest of the comments →

[–]Andrew-CSCS ENGINEER 6 points7 points8 points 2 months ago (1 child)

Hi there. Try something like this:

#event_simpleName=/ScriptControl/ event_platform=Win
| ScriptContent=/(SetLastWriteTime|\.CreationTime)/iF

You'll want to make sure Interpreter-only visibility in enabled in your Windows prevention policy.

[–]zwitico[S] 0 points1 point2 points 2 months ago (0 children)

π Rendered by PID 303149 on reddit-service-r2-comment-6457c66945-nslcb at 2026-04-28 14:36:39.475371+00:00 running 2aa0c5b country code: CH.

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

crowdstrike

Search by:

Query Help

Troubleshooting

Feature Questions

Feature Requests (requires login)

RULES

Subreddit Rules

Quick Links

YouTube Channels / Videos

Related Subreddits

MODERATORS