Showing posts from August, 2022

Detecting Linux Anti-Forensics: Timestomping

  Threat actors can modify the timestamps on malicious files to evade detection.  This technique has been used time and time again across various APT and opportunistic threat groups. How do you detect this when auditd, bash history and EDR does not exist? I notice basically all writeups on timestomping detection on Linux focus solely on looking at command-line usage of "touch". I'm here to offer you a different method. I will cover TWO techniques to perform timestomping and offer a different method of detection that doesn’t rely on auditd, command line logging or EDR. Why should you care? Because inexperienced analysts may notice a specific malicious file being created outside of an attack window and consider that the compromise timeframe may be even earlier than what it is. Further, the analyst may completely disregard a file as an attacker-based tool if it is completely outside of the timeframe. I’m here to help :)  This blog is structured in four sections: Timestomping