Skip to content

Add "Timestomping" attack technique (T1099) #795

New issue
New issue
Closed
#796
Closed
Add "Timestomping" attack technique (T1099)#795
#796
Assignees
shreyamalviya
Labels
FeatureIssue that describes a new feature to be implemented.
@shreyamalviya

Description

@shreyamalviya
shreyamalviya
opened on Aug 19, 2020

T1099

Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.

Adding it as PBA:
- LINUX: create a temp file, change its last-modified timestamp (see this); remove temp file

- WINDOWS: create a temp file, change its last-modified timestamp (see this); remove temp file

Mapping the technique to the ATT&CK matrix

Metadata

Metadata

Assignees

Labels

FeatureIssue that describes a new feature to be implemented.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions