This detection rule identifies potential timestomping activities, which is a technique attackers use to manipulate the file creation time of malicious files, often making them blend with system files or legitimate software installations. The rule specifically looks for instances where the original creation time of a file is in the year 2022 and subsequently, a different value is detected as the current creation time of the same file. The detection criteria include specific processes that are common for legitimate activities, such as Windows update processes, and it applies filters to minimize false positives, focusing on non-standard changes to designated file paths. If a backdoor’s file creation time appears to be altered, it becomes a point of investigation for potential threat activity. It’s crucial to note that legitimate system processes may also change file timestamps, which necessitates context around detected events to avoid misclassification of benign actions as malicious.