admin changing date of files.

source: <a href=https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_touch_susp.yml>sigma
technicques: t1070 t1070.006

Techniques

Detects usage of the “touch” process in service file.

condition: selection
selection:
  CommandLine|contains: ' -t '
  CommandLine|endswith: .service
  Image|endswith: /touch