AN1627: Analytic 1627
Detects use of timestamp-altering commands like `touch -a -m -t` or `touch -r`, particularly when executed by unusual users or in suspicious directories.
Analyst context for executives and security teams
This analytic matters because Linux file timestamp changes can weaken incident timelines, audit trails, and forensic confidence. The supplied ATT&CK object focuses on detecting suspicious use of timestamp-altering touch options such as `touch -a -m -t` or `touch -r`, especially by unusual users or in suspicious directories. For leaders, the decision value is not that every `touch` command is malicious, but that organizations should know whether they can see and explain timestamp manipulation when investigating a Linux host.
Executive priority
Prioritize this as an evidence-integrity and incident-readiness control for Linux environments. Security leaders should ask whether SOC and IR teams collect enough endpoint/process telemetry to identify unusual timestamp changes, whether privileged and service-account activity is baselined, and whether audit/compliance investigations can rely on file metadata without corroborating evidence. This is most relevant where Linux systems support critical services, regulated data, build pipelines, or operational infrastructure.
Technical view
Validate visibility into Linux process execution involving `touch` with timestamp-modifying arguments, specifically `-a`, `-m`, `-t`, and `-r`. Because the ATT&CK object provides no formal detection logic and no relationship context, teams should build environment-specific baselines: which users normally run these commands, which directories are expected, and which hosts commonly perform legitimate file maintenance. Investigations should correlate command execution with user context, working directory, parent process, target path, privilege level, and nearby file or authentication activity.
Likely telemetry
- Linux process execution telemetry, including command-line arguments
- User and privilege context for command execution
- Parent process and working directory details
- File metadata change events where available
- Shell history or terminal session records where retained
Detection direction
- Alert or hunt for `touch` executions using timestamp-altering options such as `-a -m -t` or `-r`, with tuning for known administrative or application workflows.
- Prioritize unusual users, unexpected service accounts, privileged execution, suspicious directories, and sensitive application or log paths.
- Correlate timestamp changes with other host activity rather than treating `touch` alone as sufficient evidence of compromise.
- Account for false positives from build systems, deployment scripts, backup/restore jobs, packaging workflows, and legitimate file maintenance.
- Identify blind spots where command-line logging is absent, truncated, or not centrally collected from Linux systems.
Mitigation priorities
- Ensure Linux endpoint/process telemetry captures command-line arguments and user context for relevant systems.
- Define baselines for legitimate timestamp modification by administrators, automation, deployment tools, and service accounts.
- Restrict unnecessary privileged access and review who can modify sensitive directories or logs.
- Protect and centralize important logs so file metadata on a single host is not the only source of investigative truth.
- Document response playbooks for suspected timestamp manipulation, including preservation of process, file, authentication, and backup evidence.
Analyst notes and limits
This is a detection analytic object, not a full ATT&CK technique description. The only supplied platform is Linux, and tactics are not specified. The practical value is strongest when used as a validation question: can the organization observe and investigate suspicious timestamp-altering command use on Linux hosts?
The object has no official detection logic, no supplied relationships, no aliases, and no tactic mapping in the provided fields. Any severity, threat association, exploitation claim, or platform expansion would require local evidence or additional ATT&CK context not supplied here.
Analytic 1627
Detects use of timestamp-altering commands like `touch -a -m -t` or `touch -r`, particularly when executed by unusual users or in suspicious directories.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 538d7e6b303a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1627Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.