From c460dcf5de8e19c2b723bc1c05427d452fdccd29 Mon Sep 17 00:00:00 2001
From: Mikhail Larin <ms.larin@jet.su>
Date: Mon, 19 Oct 2020 16:32:01 +0300
Subject: [PATCH] t1552.001 for lin/macos

---
 rules/linux/lnx_change_file_time_attr.yml   | 33 +++++++++++++++++++++
 rules/linux/macos_change_file_time_attr.yml | 29 ++++++++++++++++++
 2 files changed, 62 insertions(+)
 create mode 100644 rules/linux/lnx_change_file_time_attr.yml
 create mode 100644 rules/linux/macos_change_file_time_attr.yml

diff --git a/rules/linux/lnx_change_file_time_attr.yml b/rules/linux/lnx_change_file_time_attr.yml
new file mode 100644
index 00000000..7f7cd5a3
--- /dev/null
+++ b/rules/linux/lnx_change_file_time_attr.yml
@@ -0,0 +1,33 @@
+title: 'File Time Attribute Change'
+id: b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b
+status: experimental
+description: 'Detect file time attribute change to hide new or changes to existing files.'
+  # For this rule to work execve auditing must be configured
+  # Example config (place it at the bottom of audit.rules)
+  # -a always,exit -F arch=b32 -S execve -k execve
+  # -a always,exit -F arch=b64 -S execve -k execve
+author: 'Igor Fits, oscd.community'
+date: 2020/10/15
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md
+logsource:
+    product: linux
+    service: auditd
+detection:
+    selection1:
+        type: 'EXECVE'
+        keywords|contains: 'touch'
+    selection2:
+        type: 'EXECVE'
+        keywords|contains:
+         - '-t'
+         - '-acmr'
+         - '-d'
+         - '-r'
+    condition: selection1 and selection2
+falsepositives:
+    - 'Unknown'
+level: medium
+tags:
+    - attack.defense_evasion
+    - attack.t1070.006
diff --git a/rules/linux/macos_change_file_time_attr.yml b/rules/linux/macos_change_file_time_attr.yml
new file mode 100644
index 00000000..2737887f
--- /dev/null
+++ b/rules/linux/macos_change_file_time_attr.yml
@@ -0,0 +1,29 @@
+title: 'File Time Attribute Change'
+id: b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b
+status: experimental
+description: 'Detect file time attribute change to hide new or changes to existing files.'
+    # For this rule to work you must enable audit of process execution in OpenBSM, see
+    # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing
+author: 'Igor Fits, Mikhail Larin, oscd.community'
+date: 2020/10/19
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md
+logsource:
+    product: macos
+    category: process_creation
+detection:
+    selection1:
+        CommandLine|contains: 'touch'
+    selection2:
+        CommandLine|contains:
+         - '-t'
+         - '-acmr'
+         - '-d'
+         - '-r'
+    condition: selection1 and selection2
+falsepositives:
+    - 'Unknown'
+level: medium
+tags:
+    - attack.defense_evasion
+    - attack.t1070.006