This note documents detection patterns related to Timestamp Tampering on Linux systems.
Direct Indicators
| Source | Grep Pattern / Artifact | Meaning | Forensic Value | Notes |
|---|
| Shell history | touch -r | Copy timestamp from reference file | Critical | Classic timestomp method. |
| Shell history | touch -t | Manual timestamp set | Critical | Direct anti-forensic action. |
| Shell history | touch --reference= | Timestamp cloning | Critical | Strong stealth indicator. |
| Shell history | stat repeated before touch | Timestamp prep | High | Common operator behavior. |
| File metadata | suspicious older mtime on new file | Timestomp | Critical | Strong anomaly. |
| File metadata | ctime newer than mtime | Timestamp inconsistency | Critical | Core forensic clue. |
| Hidden payload with old timestamp | Concealment | Critical | Strong anti-forensic signal. | |
| Persistence file with mismatched times | Stealth persistence | Critical | High-value finding. | |
auditd | touch execution | Critical | Attribution. | |
| Temp file cloned to system path | Timestamp camouflage | Critical | Strong hostile sequence. | |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|
| Timestamp change after payload drop | Anti-forensics | Critical | Strong chain. |
| Same timestamp as legit binary | Camouflage | Critical | Mature operator behavior. |
| ctime mismatch across cluster | Strong anomaly | Critical | Reliable clue. |
| Timestomp after privilege escalation | Cleanup discipline | Critical | Mature hostile sequence. |
| Hidden file plus cloned timestamp | Stealth persistence | Critical | High-confidence malicious signal. |
Common Tools
| Tool | Usage |
|---|
touch -r | Clone timestamp. |
touch -t | Set manual timestamp. |
stat | Compare metadata. |
Relevant Artifacts
| Artifact | Path / Command | Forensic Value | Notes |
|---|
| File metadata | stat | Critical | Primary truth source. |
| Shell history | .bash_history | Critical | Timestomp command evidence. |
| Audit logs | /var/log/audit/audit.log | Critical | Attribution. |
MITRE ATT&CK References
- T1070 Indicator Removal on Host
- T1070.006 Timestomp
Decision Tree
- Was touch used suspiciously?
- Which file changed?
- ctime vs mtime mismatch?
- What file served as reference?
- Linked to payload or persistence?
Example Detection Templates
Grep
grep -R "touch -r\|touch -t\|touch --reference\|stat " /home/*/.bash_history /root/.bash_history 2>/dev/null
Journalctl
journalctl | grep touch
File Inspection
stat <file>
Sigma
title: Linux Timestamp Tampering
id: linux-timestamp-tampering
status: experimental
description: Detects suspicious timestomp activity on Linux
logsource:
product: linux
detection:
selection_keywords:
message|contains:
- 'touch -r'
- 'touch -t'
- 'touch --reference'
condition: selection_keywords
level: high
tags:
- attack.defense_evasion
- attack.t1070.006
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|
| Metadata review | Compare ctime/mtime systematically | Critical | Core timestomp detection. |
| Auditd | Track touch execution | High | Attribution. |
| File integrity monitoring | Detect silent metadata changes | High | Strong anti-forensic detection. |
