{
  "author": "_soteria-rules-edr-926e2197-189b-4d89-9675-c8993933dc9a[bulk][segment]",
  "cat": "00087-NIX-Touch_Timestomping",
  "detect": {
    "event": {
      "COMMAND_LINE": "touch -r /snap/firmware-updater/212/gnome-platform /home/dfusion/snap/firmware-updater/common/.cache/desktop-runtime-date",
      "FILE_PATH": "/usr/bin/touch",
      "HASH": "8b0047b0de380f0bac3855400263214e33fbc2995b5637e9104a9de3f738ec82",
      "PARENT": {
        "COMMAND_LINE": "/snap/firmware-updater/212/bin/firmware-notifier",
        "FILE_PATH": "/bin/firmware-notifier",
        "PARENT_ATOM": "526b6373f805df4c8c7fefb269c0648f",
        "PARENT_PROCESS_ID": 17178,
        "PROCESS_ID": 19710,
        "THIS_ATOM": "ea8b4e534eb8569d8a44748c69c0828a",
        "TIMESTAMP": 1774224010156,
        "USER_ID": 1000,
        "USER_NAME": "dfusion"
      },
      "PARENT_PROCESS_ID": 19710,
      "PROCESS_ID": 19802,
      "USER_ID": 1000,
      "USER_NAME": "dfusion"
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "17b70f5f-0f51-40d4-8f93-4993e1aa5a74",
      "event_time": 1774224010019,
      "event_type": "NEW_PROCESS",
      "ext_ip": "67.60.122.240",
      "hostname": "fusionserver",
      "iid": "47501359-645e-4049-906e-e6195da7afcf",
      "int_ip": "192.168.1.6",
      "latency": 4029,
      "moduleid": 2,
      "oid": "ad19afae-3759-4207-b06e-8648b225c455",
      "parent": "ea8b4e534eb8569d8a44748c69c0828a",
      "plat": 536870912,
      "sid": "04e68799-92b7-411a-9abf-293a59ff94df",
      "tags": [
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage"
      ],
      "this": "d3ba04797e08df3c30a0b43b69c0828a"
    }
  },
  "detect_id": "5655aac9-d51e-45e8-9862-242169c0828e",
  "detect_mtd": {
    "description": "Touch is a Unix tool used to create empty files and modify time stamps. Timestomping is a technique that modifies the timestamps of a file for defense evasion and antiforensics. Adversaries may use Touch to modify timestamps of malicious files.",
    "falsepositives": [
      "System Administrators may legitimately use Touch to modify a file\u0027s timestamp for reason such as source control approaches to storage usage analysis."
    ],
    "references": [
      "https://www.elastic.co/guide/en/security/current/timestomping-using-touch-command.html",
      "https://attack.mitre.org/techniques/T1070/006/",
      "https://redcanary.com/blog/rocke-cryptominer/",
      "http://man7.org/linux/man-pages/man1/touch.1.html"
    ],
    "tags": [
      "attack.tA0005",
      "attack.t1070",
      "attack.t1070.006"
    ]
  },
  "gen_time": 1774224014049,
  "link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/04e68799-92b7-411a-9abf-293a59ff94df/timeline?time=1774224010\u0026selected=d3ba04797e08df3c30a0b43b69c0828a",
  "namespace": "general",
  "priority": 2,
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "17b70f5f-0f51-40d4-8f93-4993e1aa5a74",
    "event_time": 1774224010019,
    "event_type": "NEW_PROCESS",
    "ext_ip": "67.60.122.240",
    "hostname": "fusionserver",
    "iid": "47501359-645e-4049-906e-e6195da7afcf",
    "int_ip": "192.168.1.6",
    "latency": 4029,
    "moduleid": 2,
    "oid": "ad19afae-3759-4207-b06e-8648b225c455",
    "parent": "ea8b4e534eb8569d8a44748c69c0828a",
    "plat": 536870912,
    "sid": "04e68799-92b7-411a-9abf-293a59ff94df",
    "tags": [
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage"
    ],
    "this": "d3ba04797e08df3c30a0b43b69c0828a"
  },
  "rule_tags": [
    "ext:soteria-rules-edr",
    "attack.tA0005",
    "attack.t1070",
    "attack.t1070.006"
  ],
  "source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.04e68799-92b7-411a-9abf-293a59ff94df.20000000.2",
  "source_rule": "service.NIX-Touch_Timestomping",
  "ts": 1774224054000
}

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 0,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 0,
      "type-unsupported": 11,
      "undetected": 65
    }
  }
}

{
  "confidence": 0.925,
  "false_positive_reason": "The detection rule targets NIX-Touch_Timestomping which is a common technique used by malware, but in this case it\u0027s being used by legitimate firmware updater software within the Snap ecosystem. The file path and command line are consistent with expected behavior for system utilities.",
  "investigation_questions": [
    "Is the firmware-updater snap package updated to latest version?",
    "Are there any other suspicious processes running alongside this process?"
  ],
  "ioc_analysis": "The file path /usr/bin/touch matches known-good system binary locations on Linux systems. The command line shows legitimate use of touch to update timestamps in a cache directory, which is common behavior for firmware updater services. The process runs under user dfusion (UID 1000) within the snap environment, consistent with expected application behavior.",
  "iocs_extracted": [
    "/usr/bin/touch",
    "touch -r /snap/firmware-updater/212/gnome-platform /home/dfusion/snap/firmware-updater/common/.cache/desktop-runtime-date"
  ],
  "mitre_techniques": [],
  "recommended_actions": [
    "Close case as false positive (unanimous AI verdict)",
    "Monitor for similar patterns in production environments",
    "Review firmware updater service logs if anomalies detected"
  ],
  "risk_score": 10,
  "severity": "informational",
  "summary": "**Vote: UNANIMOUS (2/2 -\u003e FALSE POSITIVE)**\n\n### \ud83e\udde0 dgx-122b Analysis (Primary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThis detection is a false positive as the process /usr/bin/touch is a standard Linux utility running within an expected Snap environment for firmware updates.\n\n**IOC Analysis:** The file path /usr/bin/touch matches known-good system binary locations on Linux systems. The command line shows legitimate use of touch to update timestamps in a cache directory, which is common behavior for firmware updater services. The process runs under user dfusion (UID 1000) within the snap environment, consistent with expected application behavior.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe detection event involves a standard Linux \u0027touch\u0027 command used to modify file timestamps, likely as part of a legitimate system maintenance task by the firmware-updater process. Given the context and historical analyst feedback, this is likely a false positive.\n\n**IOC Analysis:** The FILE_PATH \u0027/usr/bin/touch\u0027 is a legitimate Linux command for changing file timestamps. The COMMAND_LINE uses standard options to copy timestamps, which is common in system maintenance. The HASH is not verified against known malicious databases, but the context suggests benign activity. The parent process \u0027firmware-notifier\u0027 appears legitimate, and the user \u0027dfusion\u0027 is likely a system user.",
  "verdict": "false_positive",
  "voting": {
    "auto_action": "auto_close_fp",
    "mode": "unanimous",
    "total_models": 2,
    "vote_summary": [
      "qwen3.5:4b: false_positive (informational, 95% confidence)",
      "deepseek-r1:8b: false_positive (low, 90% confidence)"
    ],
    "votes": [
      {
        "confidence": 0.95,
        "model": "qwen3.5:4b",
        "verdict": "false_positive"
      },
      {
        "confidence": 0.9,
        "model": "deepseek-r1:8b",
        "verdict": "false_positive"
      }
    ],
    "winning_count": 2,
    "winning_verdict": "false_positive"
  }
}