124. That's How Adversaries Abuse PowerShell for Timestomping
Hello everyone!
Still adding interesting items to my PowerShell collection! So, in the morning I was reading this report, and spotted another ITW example of abusing PowerShell for timestomping.
The adversary created scheduled tasks to execute MeshAgent, and after that executed PowerShell commands to timestomp related files, here are some examples:
(Get-Item “.\vcruntime140_1.dll”).LastAccessTime=(“12 May 2024 11:14:00”) `
(Get-Item “.\vcruntime140_1.dll”).LastWriteTime=(“12 May 2024 11:14:00”) `
(Get-Item “.\vcruntime140_1.dll”).CreationTime=(“12 May 2024 11:14:00”) `
(Get-Item “.\vcruntime140.dll”).LastAccessTime=(“12 May 2024 11:14:00”) `
(Get-Item “.\vcruntime140.dll”).LastWriteTime=(“12 May 2024 11:14:00”) `
(Get-Item “.\vcruntime140.dll”).CreationTime=(“12 May 2024 11:14:00”)
For example, we can use ScriptBlock event to hunt for Get-Item cmdlet abuse:
event_type: "ScriptExecutionWin"
AND
script_text: "get-item" AND ("lastaccesstime" OR "lastwritetime" OR "creationtime")
Happy hunting!
See you tomorrow!
Comments
Post a Comment