Detects NTFS timestomping (MITRE T1070.006) by comparing MFT $STANDARD_INFORMATION and $FILE_NAME timestamps using analyzeMFT and Python. For threat hunting anti-forensic activity.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
通过分析 NTFS MFT 条目中 $STANDARD_INFORMATION 和 $FILE_NAME 属性之间的差异来检测时间戳篡改。
Detects timestomping evasion by comparing $STANDARD_INFORMATION and $FILE_NAME timestamps in NTFS MFT using Python, analyzeMFT, and MFTECmd. For threat hunting and forensics on Windows.
Detects NTFS timestomping (MITRE T1070.006) by comparing $STANDARD_INFORMATION and $FILE_NAME timestamps in MFT using analyzeMFT, MFTECmd, and Python. For threat hunting defense evasion on Windows systems.
Analyzes NTFS slack space, MFT entries, USN journals, and alternate data streams to recover hidden data and reconstruct file activity using TSK and Python tools.
Share bugs, ideas, or general feedback.
通过分析 NTFS MFT 条目中 $STANDARD_INFORMATION 和 $FILE_NAME 属性之间的差异来检测时间戳篡改。