124. That's How Adversaries Abuse PowerShell for Timestomping

Hello everyone!

Still adding interesting items to my PowerShell collection! So, in the morning I was reading this report, and spotted another ITW example of abusing PowerShell for timestomping.

The adversary created scheduled tasks to execute MeshAgent, and after that executed PowerShell commands to timestomp related files, here are some examples:

(Get-Item “.\vcruntime140_1.dll”).LastAccessTime=(“12 May 2024 11:14:00”) `

(Get-Item “.\vcruntime140_1.dll”).LastWriteTime=(“12 May 2024 11:14:00”) `

(Get-Item “.\vcruntime140_1.dll”).CreationTime=(“12 May 2024 11:14:00”) `

(Get-Item “.\vcruntime140.dll”).LastAccessTime=(“12 May 2024 11:14:00”) `

(Get-Item “.\vcruntime140.dll”).LastWriteTime=(“12 May 2024 11:14:00”) `

(Get-Item “.\vcruntime140.dll”).CreationTime=(“12 May 2024 11:14:00”)

For example, we can use ScriptBlock event to hunt for Get-Item cmdlet abuse:

event_type: "ScriptExecutionWin"

AND

script_text: "get-item" AND ("lastaccesstime" OR "lastwritetime" OR "creationtime")

Happy hunting!

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

082. Huniting for Malicious Browser Extensions

001. The Zeltser Challenge