Timestomping using Touch Command

  1[metadata]
  2creation_date = "2020/11/03"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Timestomping is an anti-forensics technique which is used to modify the timestamps of a file, often to mimic files that
 11are in the same folder.
 12"""
 13from = "now-9m"
 14index = ["auditbeat-*", "logs-endpoint.events.*"]
 15language = "eql"
 16license = "Elastic License v2"
 17max_signals = 33
 18name = "Timestomping using Touch Command"
 19risk_score = 47
 20rule_id = "b0046934-486e-462f-9487-0d4cf9e429c6"
 21setup = """## Setup
 22
 23If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
 24events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
 25Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
 26`event.ingested` to @timestamp.
 27For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
 28"""
 29severity = "medium"
 30tags = [
 31    "Domain: Endpoint",
 32    "OS: Linux",
 33    "OS: macOS",
 34    "Use Case: Threat Detection",
 35    "Tactic: Defense Evasion",
 36    "Data Source: Elastic Defend",
 37    "Resources: Investigation Guide",
 38]
 39timestamp_override = "event.ingested"
 40type = "eql"
 41
 42query = '''
 43process where event.type == "start" and
 44 process.name : "touch" and user.id != "0" and
 45 process.args : ("-r", "-t", "-a*","-m*") and
 46 not process.args : (
 47   "/usr/lib/go-*/bin/go", "/usr/lib/dracut/dracut-functions.sh", "/tmp/KSInstallAction.*/m/.patch/*"
 48) and not process.parent.name in ("pmlogger_daily", "pmlogger_janitor", "systemd")
 49'''
 50note = """## Triage and analysis
 51
 52> **Disclaimer**:
 53> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 54
 55### Investigating Timestomping using Touch Command
 56
 57Timestomping is a technique used by adversaries to alter file timestamps, making malicious files blend with legitimate ones. The 'touch' command, prevalent in Linux and macOS, can modify access and modification times. Attackers exploit this to evade detection. The detection rule identifies suspicious 'touch' usage by non-root users, focusing on specific arguments and excluding benign processes, thus highlighting potential timestomping activities.
 58
 59### Possible investigation steps
 60
 61- Review the process details to identify the user who executed the 'touch' command, focusing on the user.id field to determine if the user is legitimate and authorized to perform such actions.
 62- Examine the process.args field to understand the specific arguments used with the 'touch' command, particularly looking for the use of "-r", "-t", "-a*", or "-m*" which indicate potential timestomping activity.
 63- Investigate the parent process of the 'touch' command by checking the process.parent.name field to determine if it was initiated by a suspicious or unexpected process, excluding known benign processes like "pmlogger_daily", "pmlogger_janitor", and "systemd".
 64- Cross-reference the file paths and names involved in the 'touch' command with known system files and directories to assess if the files are legitimate or potentially malicious.
 65- Check for any recent alerts or logs related to the same user or process to identify patterns or repeated attempts at timestomping or other suspicious activities.
 66
 67### False positive analysis
 68
 69- Non-root users running legitimate scripts or applications that use the touch command with similar arguments may trigger false positives. To mitigate this, identify and whitelist these specific scripts or applications by adding their paths to the exclusion list.
 70- Automated system maintenance tasks that involve file timestamp modifications can be mistaken for malicious activity. Review and exclude known maintenance processes by adding them to the exclusion criteria, ensuring they do not match the suspicious argument patterns.
 71- Development tools or environments that utilize the touch command for file management during build processes might be flagged. Analyze these tools and exclude their typical usage patterns by specifying their paths or parent processes in the exclusion list.
 72- User-initiated file management activities, such as organizing or backing up files, can inadvertently match the rule's criteria. Educate users on the implications of using touch with specific arguments and consider excluding common user directories from the rule if they are frequently involved in such activities.
 73
 74### Response and remediation
 75
 76- Immediately isolate the affected system from the network to prevent further malicious activity and potential lateral movement by the attacker.
 77- Conduct a thorough review of the affected system's file system to identify and document any files with suspicious timestamp modifications, focusing on those altered by non-root users.
 78- Restore any critical files with altered timestamps from known good backups to ensure data integrity and system reliability.
 79- Revoke or reset credentials for any non-root users involved in the suspicious 'touch' command activity to prevent unauthorized access.
 80- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
 81- Implement enhanced monitoring on the affected system and similar environments to detect any further attempts at timestomping or related suspicious activities.
 82- Review and update access controls and permissions to ensure that only authorized users have the ability to modify file timestamps, reducing the risk of future timestomping attempts."""
 83
 84
 85[[rule.threat]]
 86framework = "MITRE ATT&CK"
 87[[rule.threat.technique]]
 88id = "T1070"
 89name = "Indicator Removal"
 90reference = "https://attack.mitre.org/techniques/T1070/"
 91[[rule.threat.technique.subtechnique]]
 92id = "T1070.006"
 93name = "Timestomp"
 94reference = "https://attack.mitre.org/techniques/T1070/006/"
 95
 96
 97
 98[rule.threat.tactic]
 99id = "TA0005"
100name = "Defense Evasion"
101reference = "https://attack.mitre.org/tactics/TA0005/"