heroui logo

Timestomping using Touch Command

Elastic Detection Rules

View Source
Summary
The detection rule titled 'Timestomping using Touch Command' identifies the use of the `touch` command to modify file timestamps, a technique known as timestomping, commonly employed by threat actors for anti-forensic purposes. This rule is designed to trigger alerts when the `touch` command is used by non-root users with arguments that indicate potential malicious intent, such as `-r`, `-t`, `-a*`, or `-m*`. It systematically excludes benign processes and scenarios to minimize false positives, making it effective for monitoring unauthorized timestamp modifications. The rule is operational on endpoint data indexed from platforms such as Auditbeat and utilizes EQL for its queries. Users must correctly set up ingest pipelines to ensure accurate event processing. The threat tactic associated with this activity corresponds to the MITRE ATT&CK framework's Defense Evasion strategy, specifically the T1070 technique for indicator removal and its sub-technique T1070.006 for timestomping. The rule also incorporates detailed investigation and triage guidance for responders to contextualize alerts effectively and take appropriate action.
Categories
  • Endpoint
Data Sources
  • File
  • Process
ATT&CK Techniques
  • T1070
  • T1070.006
Created: 2020-11-03