mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-12 14:22:47 +00:00
Add timestomping to Linux evasion techniques
This commit is contained in:
parent
5754ed82ee
commit
501975a330
1 changed files with 39 additions and 1 deletions
|
@ -5,6 +5,7 @@
|
|||
- [File names](#file-names)
|
||||
- [Command history](#command-history)
|
||||
- [Hiding text](#hiding-text)
|
||||
- [Timestomping](#timestomping)
|
||||
|
||||
|
||||
## File Names
|
||||
|
@ -74,9 +75,46 @@ cat script.sh
|
|||
```
|
||||
|
||||
|
||||
## Timestomping
|
||||
|
||||
Timestomping refers to the alteration of a file or directory's modification/access timestamps in order to conceal the fact that it was modified.
|
||||
The simplest way to accomplish this is with the `touch` command:
|
||||
|
||||
```bash
|
||||
# Changes the access (-a) and modification (-m) times using YYYYMMDDhhmm format.
|
||||
touch -a -m -t 202210312359 "example"
|
||||
|
||||
# Changes time using a Unix epoch timestamp.
|
||||
touch -a -m -d @1667275140 "example"
|
||||
|
||||
# Copies timestamp from one file to another.
|
||||
touch -a -m -r "other_file" "example"
|
||||
|
||||
# Get the file's modification timestamp, modify the file, then restore the timestamp.
|
||||
MODIFIED_TS=$(stat --format="%Y" "example")
|
||||
echo "backdoor" >> "example"
|
||||
touch -a -m -d @$MODIFIED_TS "example"
|
||||
```
|
||||
|
||||
It should be noted that `touch` can only modify the access and modification timestamps. It can't be used to update a file's "change" or "birth" timestamps. The birth timestamp, if supported by the filesystem, tracks when the file was created. The change timestamp tracks whenever the file's metadata changes, including updates to the access and modification timestamps.
|
||||
|
||||
If an attacker has root privileges, they can work around this limitation by modifying the system clock, creating or modifying a file, then reverting the system clock:
|
||||
|
||||
```bash
|
||||
ORIG_TIME=$(date)
|
||||
date -s "2022-10-31 23:59:59"
|
||||
touch -a -m "example"
|
||||
date -s "${ORIG_TIME}"
|
||||
```
|
||||
|
||||
Don't forget that creating a file also updates the parent directory's modification timestamp as well!
|
||||
|
||||
|
||||
## References
|
||||
|
||||
- [ATT&CK - Impair Defenses: Impair Command History Logging](https://attack.mitre.org/techniques/T1562/003/)
|
||||
- [ATT&CK - Indicator Removal: Timestomp](https://attack.mitre.org/techniques/T1070/006/)
|
||||
- [ATT&CK - Indicator Removal on Host: Clear Command History](https://attack.mitre.org/techniques/T1070/003/)
|
||||
- [ATT&CK - Masquerading: Match Legitimate Name or Location](https://attack.mitre.org/techniques/T1036/005/)
|
||||
- [Wikipedia - ANSI escape codes](https://en.wikipedia.org/wiki/ANSI_escape_code)
|
||||
- [Wikipedia - ANSI escape codes](https://en.wikipedia.org/wiki/ANSI_escape_code)
|
||||
- [InverseCos - Detecting Linux Anti-Forensics: Timestomping](https://www.inversecos.com/2022/08/detecting-linux-anti-forensics.html)
|
||||
|
|
Loading…
Reference in a new issue