Detectionmediumtest

File Time Attribute Change - Linux

Detect file time attribute change to hide new or changes to existing files.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Igor Fits, oscd.communityCreated Thu Oct 15Updated Mon Nov 28b3cec4e7-6901-4b0d-a02d-8ab2d8eb818blinux

Log Source

Linuxauditd

ProductLinux← raw: linux

Serviceauditd← raw: auditd

Detection Logic

detection:
    execve:
        type: 'EXECVE'
    touch:
        - 'touch'
    selection2:
        - '-t'
        - '-acmr'
        - '-d'
        - '-r'
    condition: execve and touch and selection2

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

github.com

Testing & Validation

Simulations

atomic-red-teamT1070.006

View on ART

Set a file's access timestamp

GUID: 5f9113d5-ed75-47ed-ba23-ea3573d05810

atomic-red-teamT1070.006

View on ART

Set a file's modification timestamp

GUID: 20ef1523-8758-4898-b5a2-d026cc3d2c52

atomic-red-teamT1070.006

View on ART

Modify file timestamps using reference file

GUID: 631ea661-d661-44b0-abdb-7a7f3fc08e50

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Sub-techniques

T1070.006 · Timestomp

Rule Metadata

Rule ID

b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b

Status

test

Level

medium

Type

Detection

Created

Thu Oct 15

Modified

Mon Nov 28

Author

Igor Fits, oscd.community

Path

rules/linux/auditd/execve/lnx_auditd_change_file_time_attr.yml

Raw Tags

attack.defense-evasionattack.t1070.006

View on GitHub