MITRE ATT&CK vulnerability spotlight: Timestomping

Introduction

MITRE Corporation is a non-profit and federally funded research and development center (FFRDC) that provides unbiased R&D and assessment services to the U.S. government. One of the research areas that MITRE pursues is cybersecurity.

Part of MITRE’s efforts in the cybersecurity field is the creation and maintenance of the MITRE ATT&CK matrix. This is a tool for classifying and organizing stages in a cyberattack and the various means that an adversary can accomplish them.

One stage in the attack life cycle involves evading the defender’s attempts to detect or protect against potential intrusions. Timestomping is one method that attackers use to accomplish this.

What is timestomping?

Every operating system has the concept of timestamps. These tell you when a file was created, last modified and so on, and are useful for sorting files and performing change tracking.

Timestamps are also useful for determining which files may have been involved in a particular attack. If an IDS or other system raises an alert at 9:55 and there is a file on the system with a creation time of about the same time, then that file is probably where investigators will start their investigation. Malware authors know this, and they use timestomping as a means of making files’ timestamps blend in with the rest of the system.

In the Master File Table (MFT) on a computer, there are two different sets of four timestamp values. Each set stores the following values for the file:

  • Creation time
  • Modification time
  • MFT time
  • Last accessed time

One of these sets is called the Standard Information file attributes, and the other are the File Information attributes. The Standard Information attributes are user-modifiable, but the File Information attributes are designed to only by modified by the OS itself.

Despite this, there is a way to (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Howard Poston. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/IEih6n22IEw/