#ELK #DFIR #kibana #elastic Find really old items in your indexes ... (timestomping?)

1\ #DFIR : How to detect Linux Timestomping

Analyse the entries in these two files:
> filesystem.db
> filesystem.db-wal

Most writeups focus on detecting the use of 'touch'. But you can timestomp without using 'touch'. 😈

Check out my blog below 👇
inversecos.com/2022/08/detect…

Every analyst after first learning about timestomping.

Just released a post covering timestomping as an anti-forensics technique! I dig into the implementation as well as detections. Big thanks to my team SpecterOps for pushing me to look into defense as well as offense 💜
posts.specterops.io/revisiting-ttp…

DFIR reminder - files in NTFS have 2+ sets of timestamps (3 sets is normal). This means you have 2 creation times (as shown). Timestomping invariably only changes the first & you can use this.

But be warned - there are tons of false positives here, so it is a bad 'hunt.'

الفرق من ناحية تحقيق جنائي ان $SI ممكن التعديل على اوقاته باستخدام أدوات Timestomping technique اما ال $FN لا توجد الى الان أساليب للتعديل على هذي القيم (موضوع للنقاش اذا كان فيه Signed Malicious Driver؟)

Skillful attackers use #timestomping to hide malicious files, slowing down detection and response.

Join Kroll on June 15th to learn how to detect timestomping using Kroll Artifact Parser and Extractor ( #KAPE ).

#cyberrisk #cyberthreat

bit.ly/3LRMvNZ

#RedTeamTip If you're ever on a linux box and want to hide the fact you modified a file, here's a basic timestomping example.
#tradecraft

Did you know Sysmon's event ID 2 can help identify signs of timestomping? Takes some tuning to reduce some FPs, but it's very good at it. Here's an executable that's been timestomped by a CobaltStrike beacon...

In our new series covering sophisticated anti-forensic tactics, our #cyberrisk expert Andrew Rathbun dives into timestomping, how threat actors are using it and how to detect it on a compromised system.

Learn more: bit.ly/3zAJwGW

#cyberthreat #cybersecurity

forensic examiners often look at file create/modify properties when triaging systems to identify suspicious files, so wrote a lil .NET timestomping tool to help you blend in:
github.com/kafkaesqu3/Sha…

In this insightful webinar, our #cyberrisk expert Andrew Rathbun demonstrates how to use Kroll Artifact Parser and Extractor ( #KAPE ), MFTECmd and Timeline Explorer to acquire, parse and analyze an $MFT file to detect #timestomping .

Watch the replay here: bit.ly/3aiCegS

Malicious Registry Timestamp Manipulation Technique: Detecting Registry Timestomping dlvr.it/SNS7Mh #cyber #threathunting #infosec

Analyzing Timestomping with Velociraptor youtu.be/IJNcgF5ZLLY via YouTube

أفضل استراتيجية للتحقق من أي ملف اذا كان تم التلاعب فيه من خلال Timestomping هي تطبيق عدة طرق للتحقق وعدم الإعتماد على طريقة واحدة:
1- الطريقة الاولى هي التحقق إذا كان تاريخ Creation Date في $STANDARD_INFORMATION أقدم من Creation Date في $File_NAME
فقد يكون تم التلاعب بتاريخه

2021-02-09: 🆕🔥 #Gozi #ISFB v2 API “timestomping” ⚙️February 1, 2021 Build
1⃣GetSystemTimeAsFileTime for File Mapping API
2⃣QueueUserAPI Thread Processor

Minor additions to the loader component
cc/ lc4m

Great list of adversarial defense evasion techniques listed. But it’s a logging article after all, so let’s not forget the most obvious TTP of all - log tampering via wiping or timestomping

New The White House CyberSecurity Executive Order mandates log integrity monitoring (Sec8b)

Defence Evasion Technique: Timestomping Detection – NTFS Forensics ift.tt/AXi9Y8d

Following a feature request, Spartacus v1.2.0 supports:

👉Replication of VERSIONINFO from the original DLL
👉Replication of date created/modified via timestomping

Both are automatically applied when creating a proxy using the --generate-proxy command

github.com/Accenture/Spar…

Anti-forensics tekniklerinden biri olan Timestomping (dosya zamanları üzerinde oynama) nasıl tespit edilir blog.nuix.com/2014/11/19/ide…