{"id":1133,"date":"2023-02-16T22:49:55","date_gmt":"2023-02-16T21:49:55","guid":{"rendered":"https:\/\/counterintelligence.pl\/?p=1133"},"modified":"2023-02-16T23:02:57","modified_gmt":"2023-02-16T22:02:57","slug":"techniki-anti-forensic-timestomping-rejestru","status":"publish","type":"post","link":"https:\/\/counterintelligence.pl\/en\/2023\/02\/techniki-anti-forensic-timestomping-rejestru\/","title":{"rendered":"Anti-forensics techniques - registry timestomping"},"content":{"rendered":"<p class=\"has-text-align-left wp-block-paragraph\"><a href=\"https:\/\/counterintelligence.pl\/en\/2023\/01\/anti-forensic-wstep-i-timestomping\/\">In the previous post<\/a> we dealt with one of the most popular anti-forensic techniques - timestomping. So we changed the timestamps of the files to confuse the analysts and make the files appear unrelated to malicious activity. This time we will try to transfer timestomping to another source of evidence - the Windows registry. The register is by far one of the most important sources of evidence. There we will find information about both the operating system and computer configuration, as well as user activity. Its content is also not easy for attackers to hide. Just as simply deleting a file does not physically erase it from disk, deleted keys and values will often be recoverable.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Let&#039;s start with the basics - the structure of the registry and why attackers would be interested in changing timestamps at all. The registry is stored in hive files that contain key configuration information about the system and user activity. The registry consists of four main keys:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>HKEY_CLASSES_ROOT<\/li>\n\n\n\n<li>HKEY_CURRENT_USER<\/li>\n\n\n\n<li>HKEY_LOCAL_MACHINE<\/li>\n\n\n\n<li>HKEY_USERS<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">In the file system, most of the registry is located in the Windows\\system32\\config directory:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"465\" height=\"257\" src=\"https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-6.png?resize=465%2C257&#038;ssl=1\" alt=\"\" class=\"wp-image-1145\" srcset=\"https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-6.png?w=465&amp;ssl=1 465w, https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-6.png?resize=300%2C166&amp;ssl=1 300w, https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-6.png?resize=18%2C10&amp;ssl=1 18w\" sizes=\"auto, (max-width: 465px) 100vw, 465px\" \/><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">Specifically, we will be interested in DEFAULT, SAM, SECURITY, SOFTWARE and SYSTEM files. In the registry, these files will contain keys under HKEY_LOCAL_MACHINE and store information about machine configuration, services, devices, user accounts, password policies and applications. In addition to computer-related data, each user has his own section of the registry stored in the NTUSER.DAT and UsrClass.DAT files. The keys contained therein are extremely useful for DFIR analysts as they allow to obtain a lot of information about the user&#039;s behavior, such as recently searched files, addresses entered in the web browser, open files or folders. In the course of post-hack analysis, they allow you to track the activity of attackers in the system.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-10.png?resize=640%2C102&#038;ssl=1\" alt=\"\" class=\"wp-image-1157\" width=\"640\" height=\"102\" srcset=\"https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-10.png?w=951&amp;ssl=1 951w, https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-10.png?resize=300%2C48&amp;ssl=1 300w, https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-10.png?resize=768%2C122&amp;ssl=1 768w, https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-10.png?resize=18%2C3&amp;ssl=1 18w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><figcaption class=\"wp-element-caption\">Last logon time in SAM\\Domains\\Accounts\\Users<\/figcaption><\/figure>\n<\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-12.png?resize=640%2C132&#038;ssl=1\" alt=\"\" class=\"wp-image-1159\" width=\"640\" height=\"132\" srcset=\"https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-12.png?w=876&amp;ssl=1 876w, https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-12.png?resize=300%2C62&amp;ssl=1 300w, https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-12.png?resize=768%2C159&amp;ssl=1 768w, https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-12.png?resize=18%2C4&amp;ssl=1 18w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><figcaption class=\"wp-element-caption\">Recently opened documents under SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs<\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">In the attached pictures, we can see the &quot;Last write timestamp&quot; parameter, which allows you to determine the time of the last key change. From an incident analysis perspective, this signature, combined with what information stored in the keys, helps analysts reconstruct the course of events. Recalling the example of information about recently searched files, we can even determine whether files related to specific, confidential projects were searched during malicious activity. Registry timestomping by attackers can therefore cause the activity time determined on the basis of the keys to be inconsistent with the information obtained from other artifacts, significantly disrupting the course of the investigation.  <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">So let&#039;s create an artifact that could simulate attackers trying to gain permanent access to the environment. One of the most interesting places is the keys created in connection with the automatic<a href=\"https:\/\/attack.mitre.org\/techniques\/T1547\/001\/\"> running programs or commands at startup, which can be used to maintain access to the environment<\/a>. So let&#039;s put such an example entry in the key <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run<\/code>:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz.png?resize=640%2C88&#038;ssl=1\" alt=\"\" class=\"wp-image-1136\" width=\"640\" height=\"88\" srcset=\"https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz.png?w=992&amp;ssl=1 992w, https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz.png?resize=300%2C41&amp;ssl=1 300w, https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz.png?resize=768%2C106&amp;ssl=1 768w, https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz.png?resize=18%2C2&amp;ssl=1 18w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">The favorite tool of all attackers - the calculator - is therefore in place. Now let&#039;s look at the timestamp of the last key entry:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-1.png?resize=640%2C67&#038;ssl=1\" alt=\"\" class=\"wp-image-1137\" width=\"640\" height=\"67\" srcset=\"https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-1.png?w=886&amp;ssl=1 886w, https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-1.png?resize=300%2C31&amp;ssl=1 300w, https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-1.png?resize=768%2C81&amp;ssl=1 768w, https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-1.png?resize=18%2C2&amp;ssl=1 18w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">It is February 2, 22:37. To change this value we will use a tool written by <a href=\"https:\/\/code.google.com\/archive\/p\/mft2csv\/wikis\/SetRegTime.wiki\">Joachim Schicht &quot;SetRegTime&quot;<\/a>. It takes advantage of<a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/winternl\/nf-winternl-ntsetinformationkey\"> the NtSetInformationKey function available in the API<\/a> Windows. As we read in the documentation, it allows you to modify the parameters contained in the structure <strong><a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/drivers\/ddi\/wdm\/ne-wdm-_key_set_information_class\">KEY_SET_INFORMATION_CLASS<\/a><\/strong> where we will find <strong><a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/drivers\/ddi\/wdm\/ns-wdm-_key_write_time_information\">KEY_WRITE_TIME_INFORMATION<\/a><\/strong> storing information about the time of the last write to the key. In addition, the author used functions <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/drivers\/ddi\/wdm\/nf-wdm-zwflushkey\">NtFlushKey<\/a> to force the changes to be written to disk immediately after the change. The program has two functionalities, the first one allows you to read the value for a specific key:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-2.png?resize=640%2C130&#038;ssl=1\" alt=\"\" class=\"wp-image-1138\" width=\"640\" height=\"130\" srcset=\"https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-2.png?w=791&amp;ssl=1 791w, https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-2.png?resize=300%2C61&amp;ssl=1 300w, https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-2.png?resize=768%2C156&amp;ssl=1 768w, https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-2.png?resize=18%2C4&amp;ssl=1 18w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">The displayed time agrees with what we saw<a href=\"https:\/\/www.sans.org\/tools\/registry-explorer\/\"> in the Registry Explorer window<\/a>. The second is to change the attribute. We will move the time of the last save a few days back. It is worth noting that, as with file timestamps, the accuracy extends beyond seconds. For registry keys, these are 100 nanosecond intervals:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-3.png?resize=640%2C100&#038;ssl=1\" alt=\"\" class=\"wp-image-1139\" width=\"640\" height=\"100\" srcset=\"https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-3.png?resize=1024%2C160&amp;ssl=1 1024w, https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-3.png?resize=300%2C47&amp;ssl=1 300w, https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-3.png?resize=768%2C120&amp;ssl=1 768w, https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-3.png?resize=18%2C3&amp;ssl=1 18w, https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-3.png?w=1085&amp;ssl=1 1085w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">And again we look into RegistryExplorer to verify the operation:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-4.png?resize=640%2C86&#038;ssl=1\" alt=\"\" class=\"wp-image-1140\" width=\"640\" height=\"86\" srcset=\"https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-4.png?w=881&amp;ssl=1 881w, https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-4.png?resize=300%2C41&amp;ssl=1 300w, https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-4.png?resize=768%2C104&amp;ssl=1 768w, https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-4.png?resize=18%2C2&amp;ssl=1 18w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">As expected, the timestamp is as we selected the value. It is worth noting here that we make changes at the key level. In our example, the Run key contains three values, so we won&#039;t specify which signature it applies to - it&#039;s just a matter of knowing what should be in the system. In addition, it should be noted that the tool will only modify the specific key that we provide as a parameter. This may seem obvious, but it is not entirely consistent with how the operating system behaves. For keys that contain subkeys, the last modified value will coincide with the last modified time of the subkey. As we can see in the example:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-9.png?resize=517%2C196&#038;ssl=1\" alt=\"\" class=\"wp-image-1154\" width=\"517\" height=\"196\" srcset=\"https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-9.png?w=517&amp;ssl=1 517w, https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-9.png?resize=300%2C114&amp;ssl=1 300w, https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-9.png?resize=18%2C7&amp;ssl=1 18w\" sizes=\"auto, (max-width: 517px) 100vw, 517px\" \/><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">In this respect, the tool is therefore too precise, and the attacker will also have to modify the value of the parent key to cover his tracks. What&#039;s more, he will have to watch out for all the timestamps within the key so as not to lead to a situation where one of the keys will still contain a date later than the modification time of the master key. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">So what are our detection capabilities? We can approach the matter from three sides:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Registry value modification detection.<\/li>\n\n\n\n<li>Detecting the effects of registry modifications.<\/li>\n\n\n\n<li>Detection of the operation of the tool itself.<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">As for the first option, the log is responsible for monitoring changes in the registry <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/security\/threat-protection\/auditing\/event-4657\">4657 in the Security log<\/a> \u2013 the registry value has been modified. Unfortunately, in our case, it will not be helpful. It includes value changes, and the time of the last write to the register is not a register value, so the record will not be created. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Therefore, in terms of registry-based detections, we are left with <a href=\"https:\/\/www.inversecos.com\/2022\/04\/malicious-registry-timestamp.html\">observation of anomalies in the compliance of key and subkey values.<\/a> This involves the need to modify the entire set of keys to maintain the timestamp compatibility:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-22.png?resize=530%2C134&#038;ssl=1\" alt=\"\" class=\"wp-image-1181\" width=\"530\" height=\"134\" srcset=\"https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-22.png?w=530&amp;ssl=1 530w, https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-22.png?resize=300%2C76&amp;ssl=1 300w, https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-22.png?resize=18%2C5&amp;ssl=1 18w\" sizes=\"auto, (max-width: 530px) 100vw, 530px\" \/><figcaption class=\"wp-element-caption\">Before modification<\/figcaption><\/figure>\n<\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-23.png?resize=447%2C133&#038;ssl=1\" alt=\"\" class=\"wp-image-1182\" width=\"447\" height=\"133\" srcset=\"https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-23.png?w=447&amp;ssl=1 447w, https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-23.png?resize=300%2C89&amp;ssl=1 300w, https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-23.png?resize=18%2C5&amp;ssl=1 18w\" sizes=\"auto, (max-width: 447px) 100vw, 447px\" \/><figcaption class=\"wp-element-caption\">A key with a last modified date later than the parent key.<\/figcaption><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">Approaching the topic a bit around, we can try to match the registry values with artifacts related to the effects of modifications. So if we encounter an artifact indicating that the application was added to the autostart, the analysis of when the program actually started running with the system startup will help to determine whether the value is true. So we can search for it<a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/security\/threat-protection\/auditing\/event-4688\"> logs 4688<\/a> \u2013 the process has been created to verify the launches of the application stored in the key value.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">After all, perhaps the most effective solution is to monitor processes and API calls, in the attached image, in the process monitor we can clearly see the function called by SetRegTime to modify the time:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-19.png?resize=640%2C58&#038;ssl=1\" alt=\"\" class=\"wp-image-1177\" width=\"640\" height=\"58\" srcset=\"https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-19.png?w=1020&amp;ssl=1 1020w, https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-19.png?resize=300%2C27&amp;ssl=1 300w, https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-19.png?resize=768%2C69&amp;ssl=1 768w, https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-19.png?resize=18%2C2&amp;ssl=1 18w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/figure>\n<\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-20.png?resize=640%2C47&#038;ssl=1\" alt=\"\" class=\"wp-image-1178\" width=\"640\" height=\"47\" srcset=\"https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-20.png?resize=1024%2C75&amp;ssl=1 1024w, https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-20.png?resize=300%2C22&amp;ssl=1 300w, https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-20.png?resize=768%2C56&amp;ssl=1 768w, https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-20.png?resize=18%2C1&amp;ssl=1 18w, https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-20.png?w=1193&amp;ssl=1 1193w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">We also see how immediately after modifying the data thanks to NtFlushKey, the program forces the changes to be written to disk.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In order to apply this method effectively, monitoring must be carried out in real time. When it comes to analyzing the memory image, a memory dump would have to be made at the time of modifying the register to intercept the function call. Process monitoring tools will also detect tool launches with the following parameter:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-8.png?resize=640%2C226&#038;ssl=1\" alt=\"\" class=\"wp-image-1152\" width=\"640\" height=\"226\" srcset=\"https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-8.png?w=896&amp;ssl=1 896w, https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-8.png?resize=300%2C106&amp;ssl=1 300w, https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-8.png?resize=768%2C271&amp;ssl=1 768w, https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/obraz-8.png?resize=18%2C6&amp;ssl=1 18w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">However, the function might as well be implemented within another executable file and not leave such an obvious trace. On the other hand, if malware samples were obtained, exploitation was detected <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/winternl\/nf-winternl-ntsetinformationkey\">NtSetInformationKey<\/a> during the analysis, it can put us on the right track in terms of searching for irregularities in the registry.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In conclusion, registry timestomping is not easy to detect. The most reliable method is to monitor processes, which will allow you to create detection based on calls of functions responsible for changing the entry, and possibly also using the NtFlushKey function to quickly introduce changes to the system. Let us remember, however, that timestomping in this form has limited usefulness. If we change the time of the last key modification, the values already stored in it - such as the user&#039;s last login time - will not be changed. Ultimately, therefore, the most important thing will be to collate the evidence from various sources and determine where the attackers could have modified the artifacts and what their intentions were.<\/p>","protected":false},"excerpt":{"rendered":"<p>W poprzednim po\u015bcie zajmowali\u015bmy si\u0119 jedn\u0105 z popularniejszych technik anti-forensic &#8211; timestompingiem. Zmieniali\u015bmy wi\u0119c sygnatury czasowe plik\u00f3w tak aby zmyli\u0107 analityk\u00f3w i sprawi\u0107 aby pliki wydawa\u0142y si\u0119 niepowi\u0105zane ze z\u0142o\u015bliw\u0105 aktywno\u015bci\u0105. Tym razem spr\u00f3bujemy timestomping przenie\u015b\u0107 na grunt kolejnego \u017ar\u00f3d\u0142a dowod\u00f3w &#8211; rejestru systemu Windows. Rejestr jest zdecydowanie jednym z [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":1183,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"cybocfi_hide_featured_image":"","_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_post_was_ever_published":false},"categories":[98],"tags":[103,108,99,107,100],"class_list":["post-1133","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-dfir","tag-anti-forensics","tag-api","tag-dfir","tag-registry","tag-timestomping"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.9 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Techniki anti-forensics - timestomping rejestru<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/counterintelligence.pl\/en\/2023\/02\/techniki-anti-forensic-timestomping-rejestru\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Techniki anti-forensics - timestomping rejestru\" \/>\n<meta property=\"og:description\" content=\"W poprzednim po\u015bcie zajmowali\u015bmy si\u0119 jedn\u0105 z popularniejszych technik anti-forensic &#8211; timestompingiem. Zmieniali\u015bmy wi\u0119c sygnatury czasowe plik\u00f3w tak aby zmyli\u0107 analityk\u00f3w i sprawi\u0107 aby pliki wydawa\u0142y si\u0119 niepowi\u0105zane ze z\u0142o\u015bliw\u0105 aktywno\u015bci\u0105. Tym razem spr\u00f3bujemy timestomping przenie\u015b\u0107 na grunt kolejnego \u017ar\u00f3d\u0142a dowod\u00f3w &#8211; rejestru systemu Windows. Rejestr jest zdecydowanie jednym z [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/counterintelligence.pl\/en\/2023\/02\/techniki-anti-forensic-timestomping-rejestru\/\" \/>\n<meta property=\"og:site_name\" content=\"counterintelligence.pl\" \/>\n<meta property=\"article:published_time\" content=\"2023-02-16T21:49:55+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-02-16T22:02:57+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/Zrzut-ekranu-2023-02-16-222207.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1206\" \/>\n\t<meta property=\"og:image:height\" content=\"823\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Kamil Bojarski\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@lawsecnet\" \/>\n<meta name=\"twitter:site\" content=\"@lawsecnet\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Kamil Bojarski\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/counterintelligence.pl\\\/2023\\\/02\\\/techniki-anti-forensic-timestomping-rejestru\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/counterintelligence.pl\\\/2023\\\/02\\\/techniki-anti-forensic-timestomping-rejestru\\\/\"},\"author\":{\"name\":\"Kamil Bojarski\",\"@id\":\"https:\\\/\\\/counterintelligence.pl\\\/#\\\/schema\\\/person\\\/a2bd0e683e8f31df48bd02f45508e8ba\"},\"headline\":\"Techniki anti-forensics &#8211; timestomping rejestru\",\"datePublished\":\"2023-02-16T21:49:55+00:00\",\"dateModified\":\"2023-02-16T22:02:57+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/counterintelligence.pl\\\/2023\\\/02\\\/techniki-anti-forensic-timestomping-rejestru\\\/\"},\"wordCount\":1384,\"commentCount\":1,\"publisher\":{\"@id\":\"https:\\\/\\\/counterintelligence.pl\\\/#\\\/schema\\\/person\\\/a2bd0e683e8f31df48bd02f45508e8ba\"},\"image\":{\"@id\":\"https:\\\/\\\/counterintelligence.pl\\\/2023\\\/02\\\/techniki-anti-forensic-timestomping-rejestru\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/i0.wp.com\\\/counterintelligence.pl\\\/wp-content\\\/uploads\\\/2023\\\/02\\\/Zrzut-ekranu-2023-02-16-222207.png?fit=1206%2C823&ssl=1\",\"keywords\":[\"anti-forensics\",\"API\",\"dfir\",\"registry\",\"timestomping\"],\"articleSection\":[\"DFIR\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/counterintelligence.pl\\\/2023\\\/02\\\/techniki-anti-forensic-timestomping-rejestru\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/counterintelligence.pl\\\/2023\\\/02\\\/techniki-anti-forensic-timestomping-rejestru\\\/\",\"url\":\"https:\\\/\\\/counterintelligence.pl\\\/2023\\\/02\\\/techniki-anti-forensic-timestomping-rejestru\\\/\",\"name\":\"Techniki anti-forensics - timestomping rejestru\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/counterintelligence.pl\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/counterintelligence.pl\\\/2023\\\/02\\\/techniki-anti-forensic-timestomping-rejestru\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/counterintelligence.pl\\\/2023\\\/02\\\/techniki-anti-forensic-timestomping-rejestru\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/i0.wp.com\\\/counterintelligence.pl\\\/wp-content\\\/uploads\\\/2023\\\/02\\\/Zrzut-ekranu-2023-02-16-222207.png?fit=1206%2C823&ssl=1\",\"datePublished\":\"2023-02-16T21:49:55+00:00\",\"dateModified\":\"2023-02-16T22:02:57+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/counterintelligence.pl\\\/2023\\\/02\\\/techniki-anti-forensic-timestomping-rejestru\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/counterintelligence.pl\\\/2023\\\/02\\\/techniki-anti-forensic-timestomping-rejestru\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/counterintelligence.pl\\\/2023\\\/02\\\/techniki-anti-forensic-timestomping-rejestru\\\/#primaryimage\",\"url\":\"https:\\\/\\\/i0.wp.com\\\/counterintelligence.pl\\\/wp-content\\\/uploads\\\/2023\\\/02\\\/Zrzut-ekranu-2023-02-16-222207.png?fit=1206%2C823&ssl=1\",\"contentUrl\":\"https:\\\/\\\/i0.wp.com\\\/counterintelligence.pl\\\/wp-content\\\/uploads\\\/2023\\\/02\\\/Zrzut-ekranu-2023-02-16-222207.png?fit=1206%2C823&ssl=1\",\"width\":1206,\"height\":823},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/counterintelligence.pl\\\/2023\\\/02\\\/techniki-anti-forensic-timestomping-rejestru\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/counterintelligence.pl\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Techniki anti-forensics &#8211; timestomping rejestru\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/counterintelligence.pl\\\/#website\",\"url\":\"https:\\\/\\\/counterintelligence.pl\\\/\",\"name\":\"counterintelligence.pl\",\"description\":\"Threat Inteliigence \\\/ OSINT \\\/ NETSEC \\\/ NATSEC\",\"publisher\":{\"@id\":\"https:\\\/\\\/counterintelligence.pl\\\/#\\\/schema\\\/person\\\/a2bd0e683e8f31df48bd02f45508e8ba\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/counterintelligence.pl\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\\\/\\\/counterintelligence.pl\\\/#\\\/schema\\\/person\\\/a2bd0e683e8f31df48bd02f45508e8ba\",\"name\":\"Kamil Bojarski\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/i0.wp.com\\\/counterintelligence.pl\\\/wp-content\\\/uploads\\\/2023\\\/11\\\/ci_hor.png?fit=1521%2C721&ssl=1\",\"url\":\"https:\\\/\\\/i0.wp.com\\\/counterintelligence.pl\\\/wp-content\\\/uploads\\\/2023\\\/11\\\/ci_hor.png?fit=1521%2C721&ssl=1\",\"contentUrl\":\"https:\\\/\\\/i0.wp.com\\\/counterintelligence.pl\\\/wp-content\\\/uploads\\\/2023\\\/11\\\/ci_hor.png?fit=1521%2C721&ssl=1\",\"width\":1521,\"height\":721,\"caption\":\"Kamil Bojarski\"},\"logo\":{\"@id\":\"https:\\\/\\\/i0.wp.com\\\/counterintelligence.pl\\\/wp-content\\\/uploads\\\/2023\\\/11\\\/ci_hor.png?fit=1521%2C721&ssl=1\"},\"sameAs\":[\"https:\\\/\\\/counterintelligence.pl\",\"https:\\\/\\\/www.linkedin.com\\\/in\\\/kamil-bojarski\\\/\",\"https:\\\/\\\/x.com\\\/lawsecnet\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Anti-forensics techniques - timestamping the registry","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/counterintelligence.pl\/en\/2023\/02\/techniki-anti-forensic-timestomping-rejestru\/","og_locale":"en_US","og_type":"article","og_title":"Techniki anti-forensics - timestomping rejestru","og_description":"W poprzednim po\u015bcie zajmowali\u015bmy si\u0119 jedn\u0105 z popularniejszych technik anti-forensic &#8211; timestompingiem. Zmieniali\u015bmy wi\u0119c sygnatury czasowe plik\u00f3w tak aby zmyli\u0107 analityk\u00f3w i sprawi\u0107 aby pliki wydawa\u0142y si\u0119 niepowi\u0105zane ze z\u0142o\u015bliw\u0105 aktywno\u015bci\u0105. Tym razem spr\u00f3bujemy timestomping przenie\u015b\u0107 na grunt kolejnego \u017ar\u00f3d\u0142a dowod\u00f3w &#8211; rejestru systemu Windows. Rejestr jest zdecydowanie jednym z [&hellip;]","og_url":"https:\/\/counterintelligence.pl\/en\/2023\/02\/techniki-anti-forensic-timestomping-rejestru\/","og_site_name":"counterintelligence.pl","article_published_time":"2023-02-16T21:49:55+00:00","article_modified_time":"2023-02-16T22:02:57+00:00","og_image":[{"width":1206,"height":823,"url":"https:\/\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/Zrzut-ekranu-2023-02-16-222207.png","type":"image\/png"}],"author":"Kamil Bojarski","twitter_card":"summary_large_image","twitter_creator":"@lawsecnet","twitter_site":"@lawsecnet","twitter_misc":{"Written by":"Kamil Bojarski","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/counterintelligence.pl\/2023\/02\/techniki-anti-forensic-timestomping-rejestru\/#article","isPartOf":{"@id":"https:\/\/counterintelligence.pl\/2023\/02\/techniki-anti-forensic-timestomping-rejestru\/"},"author":{"name":"Kamil Bojarski","@id":"https:\/\/counterintelligence.pl\/#\/schema\/person\/a2bd0e683e8f31df48bd02f45508e8ba"},"headline":"Techniki anti-forensics &#8211; timestomping rejestru","datePublished":"2023-02-16T21:49:55+00:00","dateModified":"2023-02-16T22:02:57+00:00","mainEntityOfPage":{"@id":"https:\/\/counterintelligence.pl\/2023\/02\/techniki-anti-forensic-timestomping-rejestru\/"},"wordCount":1384,"commentCount":1,"publisher":{"@id":"https:\/\/counterintelligence.pl\/#\/schema\/person\/a2bd0e683e8f31df48bd02f45508e8ba"},"image":{"@id":"https:\/\/counterintelligence.pl\/2023\/02\/techniki-anti-forensic-timestomping-rejestru\/#primaryimage"},"thumbnailUrl":"https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/Zrzut-ekranu-2023-02-16-222207.png?fit=1206%2C823&ssl=1","keywords":["anti-forensics","API","dfir","registry","timestomping"],"articleSection":["DFIR"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/counterintelligence.pl\/2023\/02\/techniki-anti-forensic-timestomping-rejestru\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/counterintelligence.pl\/2023\/02\/techniki-anti-forensic-timestomping-rejestru\/","url":"https:\/\/counterintelligence.pl\/2023\/02\/techniki-anti-forensic-timestomping-rejestru\/","name":"Anti-forensics techniques - timestamping the registry","isPartOf":{"@id":"https:\/\/counterintelligence.pl\/#website"},"primaryImageOfPage":{"@id":"https:\/\/counterintelligence.pl\/2023\/02\/techniki-anti-forensic-timestomping-rejestru\/#primaryimage"},"image":{"@id":"https:\/\/counterintelligence.pl\/2023\/02\/techniki-anti-forensic-timestomping-rejestru\/#primaryimage"},"thumbnailUrl":"https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/Zrzut-ekranu-2023-02-16-222207.png?fit=1206%2C823&ssl=1","datePublished":"2023-02-16T21:49:55+00:00","dateModified":"2023-02-16T22:02:57+00:00","breadcrumb":{"@id":"https:\/\/counterintelligence.pl\/2023\/02\/techniki-anti-forensic-timestomping-rejestru\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/counterintelligence.pl\/2023\/02\/techniki-anti-forensic-timestomping-rejestru\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/counterintelligence.pl\/2023\/02\/techniki-anti-forensic-timestomping-rejestru\/#primaryimage","url":"https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/Zrzut-ekranu-2023-02-16-222207.png?fit=1206%2C823&ssl=1","contentUrl":"https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/Zrzut-ekranu-2023-02-16-222207.png?fit=1206%2C823&ssl=1","width":1206,"height":823},{"@type":"BreadcrumbList","@id":"https:\/\/counterintelligence.pl\/2023\/02\/techniki-anti-forensic-timestomping-rejestru\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/counterintelligence.pl\/"},{"@type":"ListItem","position":2,"name":"Techniki anti-forensics &#8211; timestomping rejestru"}]},{"@type":"WebSite","@id":"https:\/\/counterintelligence.pl\/#website","url":"https:\/\/counterintelligence.pl\/","name":"counterintelligence.pl","description":"Threat Inteliigence \/ OSINT \/ NETSEC \/ NATSEC","publisher":{"@id":"https:\/\/counterintelligence.pl\/#\/schema\/person\/a2bd0e683e8f31df48bd02f45508e8ba"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/counterintelligence.pl\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/counterintelligence.pl\/#\/schema\/person\/a2bd0e683e8f31df48bd02f45508e8ba","name":"Kamil Bojarski","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/11\/ci_hor.png?fit=1521%2C721&ssl=1","url":"https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/11\/ci_hor.png?fit=1521%2C721&ssl=1","contentUrl":"https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/11\/ci_hor.png?fit=1521%2C721&ssl=1","width":1521,"height":721,"caption":"Kamil Bojarski"},"logo":{"@id":"https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/11\/ci_hor.png?fit=1521%2C721&ssl=1"},"sameAs":["https:\/\/counterintelligence.pl","https:\/\/www.linkedin.com\/in\/kamil-bojarski\/","https:\/\/x.com\/lawsecnet"]}]}},"jetpack_featured_media_url":"https:\/\/i0.wp.com\/counterintelligence.pl\/wp-content\/uploads\/2023\/02\/Zrzut-ekranu-2023-02-16-222207.png?fit=1206%2C823&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/counterintelligence.pl\/en\/wp-json\/wp\/v2\/posts\/1133","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/counterintelligence.pl\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/counterintelligence.pl\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/counterintelligence.pl\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/counterintelligence.pl\/en\/wp-json\/wp\/v2\/comments?post=1133"}],"version-history":[{"count":33,"href":"https:\/\/counterintelligence.pl\/en\/wp-json\/wp\/v2\/posts\/1133\/revisions"}],"predecessor-version":[{"id":1192,"href":"https:\/\/counterintelligence.pl\/en\/wp-json\/wp\/v2\/posts\/1133\/revisions\/1192"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/counterintelligence.pl\/en\/wp-json\/wp\/v2\/media\/1183"}],"wp:attachment":[{"href":"https:\/\/counterintelligence.pl\/en\/wp-json\/wp\/v2\/media?parent=1133"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/counterintelligence.pl\/en\/wp-json\/wp\/v2\/categories?post=1133"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/counterintelligence.pl\/en\/wp-json\/wp\/v2\/tags?post=1133"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}