hunting-for-defense-evasion-via-timestomping

# Hunting for Defense Evasion via Timestomping Detect timestamp manipulation by analyzing NTFS MFT entries for discrepancies between $STANDARD_INFORMATION and $FILE_NAME attributes. ## When to Use - Investigating suspected anti-forensic activity where an adversary may have altered file timestamps to blend malware into legitimate directories - Threat hunting for defense evasion (MITRE ATT&CK T1070.006) across compromised Windows systems - Validating timeline integrity during forensic examinations of disk images or live acquisitions - Triaging suspicious files that appear to have creation dates older than the OS installation or inconsistent with known deployment timelines - Detecting tools like Timestomp (Metasploit), NTimeStomp, SetMACE, or PowerShell Set-ItemProperty used to alter timestamps - Building automated detection pipelines that flag temporal anomalies in MFT data for SOC analysts **Do not use** as the sole detection method; advanced adversaries can manipulate both $STANDARD_INFORMATION and $FILE_NAME timestamps (though the latter requires raw disk access and is much harder). Combine with USN Journal, $LogFile, and ShimCache/Amcache analysis for corroboration. ## Prerequisites - Raw $MFT file extracted from a Windows system (via FTK Imager, KAPE, or live extraction) - `MFTECmd` (Eric Zimmerman tool) or `analyzeMFT` for MFT parsing - Python 3.8+ with `pandas` for analysis - Optional: `mft` Python library (`pip install mft`) for programmatic MFT parsing - Optional...