This detection rule is designed to identify changes to file time attributes on Linux systems, which can be indicative of attempts to obfuscate malicious activity or evade defenses. Malicious actors may alter timestamps to hide the creation or modification of files, potentially masking unauthorized activities such as placing backdoors or exfiltrating data. By monitoring the execution of the `touch` command along with specific options that influence timestamps (`-t`, `-a`, `-c`, `-m`, `-r`, `-d`), this rule captures alerts whenever these attributes are manipulated. The rule requires data from `auditd`, making it essential for environments that utilize this logging service for tracking system calls. A false positive is possible, as legitimate system maintenance tasks might also utilize these commands for valid reasons. Incident response teams are advised to review alerts in the context of other system activities to ascertain the intent behind the modifications.