Touch Suspicious Service File
Detects usage of the "touch" process in service file.
Sigma rule (View on GitHub)
1title: Touch Suspicious Service File
2id: 31545105-3444-4584-bebf-c466353230d2
3status: test
4description: Detects usage of the "touch" process in service file.
5references:
6 - https://blogs.blackberry.com/
7 - https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
8author: Joseliyo Sanchez, @Joseliyo_Jstnk
9date: 2023-01-11
10tags:
11 - attack.defense-evasion
12 - attack.t1070.006
13logsource:
14 product: linux
15 category: process_creation
16detection:
17 selection:
18 Image|endswith: '/touch'
19 CommandLine|contains: ' -t '
20 CommandLine|endswith: '.service'
21 condition: selection
22falsepositives:
23 - Admin changing date of files.
24level: medium
References
-
The latest news and articles about cybersecurity, critical event management, asset tracking, and secure Internet of Things including automotive from BlackBerry.
Read More
Related rules
- File Creation Date Changed to Another Year
- File Time Attribute Change
- File Time Attribute Change - Linux
- Powershell Timestomp
- Unauthorized System Time Modification