Discover and read the best of Twitter Threads about #DefenceEvasion
Most recents (1)
1\ #DefenceEvasion Technique: Maliciously Modifying Registry Timestamps πΏπ
This technique doesn't log events in the Security.evtx and is almost trivial to perform as a defence evasion technique...
Read my blog for technique + detection:
bit.ly/3r7jfuO
TL;DR ππ
This technique doesn't log events in the Security.evtx and is almost trivial to perform as a defence evasion technique...
Read my blog for technique + detection:
bit.ly/3r7jfuO
TL;DR ππ
2\ Why should you care?
During an IR, registry timestamps are important evidence items for timelining & triaging an incident. They answer questions like...
> What files did the TAs open?
> When was a security tool disabled?
> What folders were the TAs looking at?
> etc...
During an IR, registry timestamps are important evidence items for timelining & triaging an incident. They answer questions like...
> What files did the TAs open?
> When was a security tool disabled?
> What folders were the TAs looking at?
> etc...
3\ The native API "NtSetInformationKey" specifically allows a TA to overwrite a registry "Last Write" timestamp in an extremely trivial manner.
The param KEY_SET_INFORMATION_CLASS being passed the value KEY_WRITE_TIME_INFORMATION is what performs this.
undocumented.ntinternals.net/UserMode/Undocβ¦
The param KEY_SET_INFORMATION_CLASS being passed the value KEY_WRITE_TIME_INFORMATION is what performs this.
undocumented.ntinternals.net/UserMode/Undocβ¦
