After a request to add the capability to PowerSploit, I wanted to figure out how to do it (I do prefer avoiding writing anything to disk, but there are times when it is unavoidable). I always thought that TimeStomp was black magic, but then I noticed the capability in Cobalt Strike's Beacon. I asked Raphael and he pointed me to a well-documented part of the Windows API. So naturally I headed over to pinvoke.net to check out the C# sample. It didn't take long to have a working function, but I got curious and found a .Net class to simplify the code. Armed with two working functions, I boarded the plane after ShowMeCon and wondered if it were possible to accomplish the task in a more "PowerShelly" (technical term) way.
Lets explore with Get-Member:
Nothing novel, but cool nonetheless. Some people would prefer a more "Touch" like capability, so I wrapped it all up in a function called Set-MacAttributes which will be added to PowerSploit soon:
I think its a prime example of why you should start by exploring cmdlets, then check out .Net and finally the API. It can save you a lot of time when you are building PowerShell tools. Obviously this won't stand up to forensic scrutiny like TimeStomp will, but it will definitely serve the purpose of hiding files in plain sight.
-Chris
That's only half of the story from a forensics standpoint. This is already fairly commonly used by criminals, stomping the file attributes. However the raw MFT data will still have the original values of creation time. So to really leave no trace, those need to be stomped as well. :)
ReplyDeletehttp://msdn.microsoft.com/en-us/library/windows/desktop/aa365230(v=vs.85).aspx
Yep, I mentioned that in the last line but I guess its not clear. The tool "TimeStomp" modifies not only the (M)odified, (A)ccessed and (C)reated file properties but also the MFT (E)ntry which allows it to stand up to forensic scrutiny. Since I have no interest in standing up to forensic scrutiny, only hiding from admins, MAC is enough for me. Thanks for the comment.
Delete