How can an attacker modify all four NTFS timestamps, including MFTChangeTime?
The standard WinAPI SetFileTime can only modify CreateTime, AccessTime, and LastWriteTime. To also modify MFTChangeTime, an attacker must use the native API NtSetInformationFile, as implemented in Metasploit's timestomp. This allows setting all four timestamps to arbitrary values.
---
**Related reading:**
- Penetration Techniques - Time Attributes of NTFS Files in Windows — original article
- Penetration Basics - Implementation of Exchange One-Liner Backdoor
- Penetration Basics - Methods to Continuously Obtain Exchange User Inbox Emails
- Steganography Techniques - Hiding Payloads Using JPEG File Format
---
**Related reading:**
- Penetration Techniques - Time Attributes of NTFS Files in Windows — original article
- Penetration Basics - Implementation of Exchange One-Liner Backdoor
- Penetration Basics - Methods to Continuously Obtain Exchange User Inbox Emails
- Steganography Techniques - Hiding Payloads Using JPEG File Format
NtSetInformationFiletimestompMFTChangeTimeMetasploitAPI