Tweet
I've been looking into a system where a user was phished, clicked the link, and before long malicious PowerShell scripts were running on his machine. We are using an MSSP, but they didn't notify us until the next day there was a problem. I'm able to put just about everything together regarding the breach, but I've run into a problem understanding the MFT Modified Date. All files within the individual's profile has the same MFT modified date stamp, but very few of these files show up in the most recently used files. I'm trying to determine if any files were exfiltrated, but I'm at a loss as to how the PowerShell scripts could change the MFT date stamp and how this indicates what, if anything, was done to a particular file. Can anyone help me out here? Thanks
-
-
For files, the MFT modified date should be the same as the Modified date, unless something unusual has happened.
So maybe all the files you are looking were touched at the same time by some valid process. e.g. a backup / restore process.
There is no reason that files that have been moved around the files system will show up as a recently used file. There is a difference between opening a file (to edit it) and copying a file.
-
Thanks, David. The MFT modified date is the same as the Modified date, and the date/time stamp is the same as when the malicious activity occurred on the system. Your response clears things up for me. Hope your 4th celebrations are great!
Comment
Comment