File Time Attribute Change - Linux

 1title: File Time Attribute Change - Linux
 2id: b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b
 3status: test
 4description: Detect file time attribute change to hide new or changes to existing files.
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md
 7author: 'Igor Fits, oscd.community'
 8date: 2020-10-15
 9modified: 2022-11-28
10tags:
11    - attack.defense-evasion
12    - attack.t1070.006
13logsource:
14    product: linux
15    service: auditd
16detection:
17    execve:
18        type: 'EXECVE'
19    touch:
20        - 'touch'
21    selection2:
22        - '-t'
23        - '-acmr'
24        - '-d'
25        - '-r'
26    condition: execve and touch and selection2
27falsepositives:
28    - Unknown
29level: medium

References

• atomic-red-team/atomics/T1070.006/T1070.006.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

Related rules

• File Creation Date Changed to Another Year
• File Time Attribute Change
• Powershell Timestomp
• Touch Suspicious Service File
• Unauthorized System Time Modification