security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1663bf7d524b6fc8a9a39104feb2949b36368dfc
atomic-red-team/atomics/T1099/T1099.yaml
T
Carrie Roberts 1bfefdacfc Add elevated (#542) 
* provide elevation_required attribute

* provide elevation_required attribute

* provide elevation_required attribute
2019-09-03 07:34:42 -06:00

153 lines
4.3 KiB
YAML
Raw Blame History

---
attack_technique: T1099
display_name: Timestomp
atomic_tests:
- name: Set a file's access timestamp
description: |
Stomps on the access timestamp of a file
supported_platforms:
- linux
- macos
input_arguments:
target_filename:
description: Path of file that we are going to stomp on last access time
type: Path
default: /opt/filename
executor:
name: sh
command: |
touch -a -t 197001010000.00 #{target_filename}
- name: Set a file's modification timestamp
description: |
Stomps on the modification timestamp of a file
supported_platforms:
- linux
- macos
input_arguments:
target_filename:
description: Path of file that we are going to stomp on last access time
type: Path
default: /opt/filename
executor:
name: sh
command: |
touch -m -t 197001010000.00 #{target_filename}
- name: Set a file's creation timestamp
description: |
Stomps on the create timestamp of a file
Setting the creation timestamp requires changing the system clock and reverting.
Sudo or root privileges are required to change date. Use with caution.
supported_platforms:
- linux
- macos
input_arguments:
target_filename:
description: Path of file that we are going to stomp on last access time
type: Path
default: /opt/filename
executor:
name: sh
command: |
NOW=$(date)
date -s "1970-01-01 00:00:00"
touch #{target_filename}
date -s "$NOW"
stat #{target_filename}
- name: Modify file timestamps using reference file
description: |
Modifies the `modify` and `access` timestamps using the timestamps of a specified reference file.
This technique was used by the threat actor Rocke during the compromise of Linux web servers.
supported_platforms:
- linux
- macos
input_arguments:
reference_file_path:
description: Path of reference file to read timestamps from
type: Path
default: /bin/sh
target_file_path:
description: Path of file to modify timestamps of
type: Path
default: /opt/filename
executor:
name: sh
command: |
touch -acmr #{reference_file_path} {target_file_path}
- name: Windows - Modify file creation timestamp with PowerShell
description: |
Modifies the file creation timestamp of a specified file.
This technique was seen in use by the Stitch RAT.
supported_platforms:
- windows
input_arguments:
file_path:
description: Path of file to change creation timestamp
type: Path
default: C:\Some\file.txt
target_date_time:
description: Date/time to replace original timestamps with
type: String
default: '1970-01-01 00:00:00'
executor:
name: command_prompt
elevation_required: false
command: |
powershell.exe Get-ChildItem #{file_path} | % { $_.CreationTime = #{target_date_time} }
- name: Windows - Modify file last modified timestamp with PowerShell
description: |
Modifies the file last modified timestamp of a specified file.
This technique was seen in use by the Stitch RAT.
supported_platforms:
- windows
input_arguments:
file_path:
description: Path of file to change last modified timestamp
type: Path
default: C:\Some\file.txt
target_date_time:
description: Date/time to replace original timestamps with
type: String
default: '1970-01-01 00:00:00'
executor:
name: command_prompt
elevation_required: false
command: |
powershell.exe Get-ChildItem #{file_path} | % { $_.LastWriteTime = #{target_date_time} }
- name: Windows - Modify file last access timestamp with PowerShell
description: |
Modifies the last access timestamp of a specified file.
This technique was seen in use by the Stitch RAT.
supported_platforms:
- windows
input_arguments:
file_path:
description: Path of file to change last access timestamp
type: Path
default: C:\Some\file.txt
target_date_time:
description: Date/time to replace original timestamps with
type: String
default: '1970-01-01 00:00:00'
executor:
name: command_prompt
elevation_required: false
command: |
powershell.exe Get-ChildItem #{file_path} | % { $_.LastAccessTime = #{target_date_time} }
Reference in New Issue View Git Blame Copy Permalink