The Powershell Timestomp detection rule is designed to identify attempts by adversaries to alter file timestamps using PowerShell scripts. This technique, known as timestomping, allows attackers to hide their malicious activities by modifying the 'Creation', 'LastWrite', and 'LastAccess' timestamps of files to match existing files in the folder, which can obscure any unauthorized changes or new file creations from forensic analysis. The rule employs script block logging to capture specific PowerShell commands that indicate timestamp modifications. It is critical for environments to have script block logging enabled to utilize this detection rule effectively. The rule leverages textual signatures that match common PowerShell commands used in timestomping, helping security teams identify potential instances of file timestamp manipulation that could signify an evasion tactic being employed by threat actors. False positives may occur due to legitimate administrative scripts running within the environment. This detection rule is categorized under defense evasion techniques, specifically focusing on T1070.006, which pertains to the manipulation of file attributes for malicious purposes.