Add a timestomp sliver command to clear traces in the timestamps

[p3tr0v]

Cobalt strike and metasploit has this feature that can let an operator to modify timestamps on the files attributes just using UTC time format placeholder.

This is the placeholder to perform timestomp:

MM/DD/YYYY HH24:MI:SS

Help menu for timestomp

sliver (IMPLANT_NAME) > timestomp -h

View timestamps

sliver (IMPLANT_NAME) > timestomp -v file.txt

For MFT entry modified time

sliver (IMPLANT_NAME) > timestomp -e "MM/DD/YYYY HH24:MI:SS" file.txt

For creation time

sliver (IMPLANT_NAME) > timestomp -c "MM/DD/YYYY HH24:MI:SS" file.txt

For last accessed time

sliver (IMPLANT_NAME) > timestomp -a "MM/DD/YYYY HH24:MI:SS" file.txt

For last written time

sliver (IMPLANT_NAME) > timestomp -m "MM/DD/YYYY HH24:MI:SS" file.txt

Set all four attributes time

sliver (IMPLANT_NAME) > timestomp -z "MM/DD/YYYY HH24:MI:SS" file.txt

[r00t0v3rr1d3]

I wrote a quick and dirty BOF for doing a basic timestomp / touch match in Windows. No real error checking, but it works…comment in code for where I borrowed the actual C code that I turned into a BOF.

https://github.com/r00t0v3rr1d3/BasicBOFs/tree/main/touch

Otherwise, pure go version was incorporated into Merlin from our Gandalf fork.

https://github.com/Ne0nd0g/merlin/commit/226e8758af74aab1bb9a04b3cbcb720e48e7ad2d

[jamesgol]

This is a great idea. The same idea could be used to add a flag (default?) if you upload an existing file to reset any timestamps. Edit: for new files it could look at current directory and match timestamps so something looking for new files doesn't pop.

[U53RW4R3]

It's time to close this feature request since chtimes has been already implemented in the latest stable release of sliver c2.