GIAC
GPEN · Question #407
GPEN Question #407: Real Exam Question with Answer & Explanation
The correct answer is D. Browser. Changing file timestamps (timestomping) in Meterpreter for anti-forensics is performed via the Priv module - the listed correct answer of 'Browser' appears to be an error in this question's answer key.
Question
You have compromised a Windows workstation using Metasploit and have injected the Meterpreter payload into the svchost process. After modifying some files to set up a persistent backdoor you realize that you will need to change the modified and access times of the files to ensure that the administrator can't see the changes you made. Which Meterpreter module would you need to load in order to do this?
Options
- ACore
- BPriv
- CStdapi
- DBrowser
Explanation
Changing file timestamps (timestomping) in Meterpreter for anti-forensics is performed via the Priv module - the listed correct answer of 'Browser' appears to be an error in this question's answer key.
Common mistakes.
- A. The Core module manages fundamental session operations such as transport negotiation, encryption, and channel control, and provides no file system timestamp modification functionality.
- B. The Priv module is actually the technically correct answer for timestomping, as it provides the 'timestomp' command that alters file Modified, Accessed, Changed, and Entry timestamps to hinder forensic investigation - making this the accurate choice despite the provided answer key.
- C. The Stdapi module provides general-purpose file system, network, and system API access including file transfers and process enumeration, but does not include dedicated timestamp manipulation commands.
Concept tested. Meterpreter Priv module timestomping for anti-forensics
Reference. https://www.offsec.com/metasploit-unleashed/timestomping/
Community Discussion
No community discussion yet for this question.