Timestomping using Touch Command

 1[metadata]
 2creation_date = "2020/11/03"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Timestomping is an anti-forensics technique which is used to modify the timestamps of a file, often to mimic files that
13are in the same folder.
14"""
15from = "now-9m"
16index = ["auditbeat-*", "logs-endpoint.events.*"]
17language = "eql"
18license = "Elastic License v2"
19max_signals = 33
20name = "Timestomping using Touch Command"
21note = """## Setup
22
23If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
24"""
25risk_score = 47
26rule_id = "b0046934-486e-462f-9487-0d4cf9e429c6"
27severity = "medium"
28tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
29timestamp_override = "event.ingested"
30type = "eql"
31
32query = '''
33process where event.type == "start" and
34 process.name : "touch" and user.id != "0" and
35 process.args : ("-r", "-t", "-a*","-m*") and
36 not process.args : ("/usr/lib/go-*/bin/go", "/usr/lib/dracut/dracut-functions.sh", "/tmp/KSInstallAction.*/m/.patch/*")
37'''
38
39
40[[rule.threat]]
41framework = "MITRE ATT&CK"
42[[rule.threat.technique]]
43id = "T1070"
44name = "Indicator Removal"
45reference = "https://attack.mitre.org/techniques/T1070/"
46[[rule.threat.technique.subtechnique]]
47id = "T1070.006"
48name = "Timestomp"
49reference = "https://attack.mitre.org/techniques/T1070/006/"
50
51
52
53[rule.threat.tactic]
54id = "TA0005"
55name = "Defense Evasion"
56reference = "https://attack.mitre.org/tactics/TA0005/"