CircleCI Atomic Red Team doc generator
85 lines
2.9 KiB
Markdown
85 lines
2.9 KiB
Markdown
# T1099 - Timestomp
|
|
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1099)
|
|
<blockquote>Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools. Timestomping may be used along with file name Masquerading to hide malware and tools. (Citation: WindowsIR Anti-Forensic Techniques)
|
|
|
|
Detection: Forensic techniques exist to detect aspects of files that have had their timestamps modified. (Citation: WindowsIR Anti-Forensic Techniques) It may be possible to detect timestomping using file modification monitoring that collects information on file handle opens and can compare timestamp values.
|
|
|
|
Platforms: Linux, Windows
|
|
|
|
Data Sources: File monitoring, Process monitoring, Process command-line parameters
|
|
|
|
Defense Bypassed: Host forensic analysis
|
|
|
|
Permissions Required: User, Administrator, SYSTEM</blockquote>
|
|
|
|
## Atomic Tests
|
|
|
|
- [Atomic Test #1 - Set a file's access timestamp](#atomic-test-1---set-a-files-access-timestamp)
|
|
|
|
- [Atomic Test #2 - Set a file's modification timestamp](#atomic-test-2---set-a-files-modification-timestamp)
|
|
|
|
- [Atomic Test #3 - Set a file's creation timestamp](#atomic-test-3---set-a-files-creation-timestamp)
|
|
|
|
|
|
<br/>
|
|
|
|
## Atomic Test #1 - Set a file's access timestamp
|
|
Stomps on the access timestamp of a file
|
|
|
|
**Supported Platforms:** Linux, macOS
|
|
|
|
|
|
#### Inputs
|
|
| Name | Description | Type | Default Value |
|
|
|------|-------------|------|---------------|
|
|
| target_filename | Path of file that we are going to stomp on last access time | Path | |
|
|
|
|
#### Run it with `sh`!
|
|
```
|
|
touch -a -t 197001010000.00 #{target_filename}
|
|
```
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #2 - Set a file's modification timestamp
|
|
Stomps on the modification timestamp of a file
|
|
|
|
**Supported Platforms:** Linux, macOS
|
|
|
|
|
|
#### Inputs
|
|
| Name | Description | Type | Default Value |
|
|
|------|-------------|------|---------------|
|
|
| target_filename | Path of file that we are going to stomp on last access time | Path | |
|
|
|
|
#### Run it with `sh`!
|
|
```
|
|
touch -m -t 197001010000.00 #{target_filename}
|
|
```
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #3 - Set a file's creation timestamp
|
|
Stomps on the create timestamp of a file
|
|
|
|
Setting the creation timestamp requires changing the system clock and reverting.
|
|
Sudo or root privileges are required to change date. Use with caution.
|
|
|
|
**Supported Platforms:** Linux, macOS
|
|
|
|
|
|
#### Inputs
|
|
| Name | Description | Type | Default Value |
|
|
|------|-------------|------|---------------|
|
|
| target_filename | Path of file that we are going to stomp on last access time | Path | |
|
|
|
|
#### Run it with `sh`!
|
|
```
|
|
NOW=$(date)
|
|
date -s "1970-01-01 00:00:00"
|
|
touch #{target_filename}
|
|
date -s "$NOW"
|
|
stat #{target_filename}
|
|
```
|
|
<br/>
|