File Time Attribute Change - Linux
Detect file time attribute change to hide new or changes to existing files.
Sigma rule (View on GitHub)
1title: File Time Attribute Change - Linux
2id: b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b
3status: test
4description: Detect file time attribute change to hide new or changes to existing files.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md
7author: 'Igor Fits, oscd.community'
8date: 2020/10/15
9modified: 2022/11/28
10tags:
11 - attack.defense_evasion
12 - attack.t1070.006
13logsource:
14 product: linux
15 service: auditd
16detection:
17 execve:
18 type: 'EXECVE'
19 touch:
20 - 'touch'
21 selection2:
22 - '-t'
23 - '-acmr'
24 - '-d'
25 - '-r'
26 condition: execve and touch and selection2
27falsepositives:
28 - Unknown
29level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Unauthorized System Time Modification
- Tampering of Windows Defender with Reg
- PowerShell -encodedcommand Switch
- Decode Base64 Encoded Text -MacOs
- Remove Immutable File Attribute - Auditd