Red Teaming Experiments
linkedintwitterpatreongithub
Search…
What is ired.team?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
AV Bypass with Metasploit Templates and Custom Binaries
Evading Windows Defender with 1 Byte Change
Bypassing Windows Defender: One TCP Socket Away From Meterpreter and Beacon Sessions
Bypassing Cylance and other AVs/EDRs by Unhooking Windows APIs
Windows API Hashing in Malware
Detecting Hooked Syscalls
Calling Syscalls Directly from Visual Studio to Bypass AVs/EDRs
Retrieving ntdll Syscall Stubs from Disk at Run-time
Full DLL Unhooking with C++
Enumerating RWX Protected Memory Regions for Code Injection
Disabling Windows Event Logs by Suspending EventLog Service Threads
Obfuscated Powershell Invocations
Masquerading Processes in Userland via _PEB
Commandline Obfusaction
File Smuggling with HTML and JavaScript
Timestomping
Alternate Data Streams
Hidden Files
Encode/Decode Data with Certutil
Downloading Files with Certutil
Packed Binaries
Unloading Sysmon Driver
Bypassing IDS Signatures with Simple Reverse Shells
Preventing 3rd Party DLLs from Injecting into your Malware
ProcessDynamicCodePolicy: Arbitrary Code Guard (ACG)
Parent Process ID (PPID) Spoofing
Executing C# Assemblies from Jscript and wscript with DotNetToJscript
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
Exfiltration
reversing, forensics & misc
Internals
Cloud
Neo4j
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered By GitBook
Timestomping
Defense Evasion

Checking original timestamps of the nc.exe:
.\timestomp.exe .\nc.exe -v
Forging the file creation date:
.\timestomp.exe .\nc.exe -c "Monday 7/25/2005 5:15:55 AM"
Checking the $MFT for changes - first of, dumping the $MFT:
.\RawCopy64.exe /FileNamePath:C:\$MFT /OutputName:c:\experiments\mft.dat
Let's find the nc.exe record and check its timestamps:
Import-Csv .\mft.csv -Delimiter "`t" | Where-Object {$_.Filename -eq "nc.exe"}
Note how fnCreateTime did not get updated:
For this reason, it is always a good idea to check both $STANDARD_INFO and $FILE_NAME times during the investigation to have a better chance at detecting timestomping.
Note that if we moved the nc.exe file to any other folder on the system and re-parsed the $MFT again, the fnCreateTime timestamp would inherit the timestamp from siCreateTime:

https://www.forensicswiki.org/wiki/Timestomp
www.forensicswiki.org
https://digital-forensics.sans.org/blog/2010/11/02/digital-forensics-time-stamp-manipulation
digital-forensics.sans.org
Indicator Removal on Host: Timestomp, Sub-technique T1070.006 - Enterprise | MITRE ATT&CK®
Previous
File Smuggling with HTML and JavaScript
Next
Alternate Data Streams
Last modified 3yr ago
Copy link
On this page
Execution
References