diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 89efc53a..30c5f05f 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -9886,20 +9886,10 @@ defense-evasion: description: Path of reference file to read timestamps from type: path default: "/bin/sh" - dependencies: - - description: 'The file must exist in order to be timestomped - - ' - prereq_command: 'test -e #{target_file_path} && exit 0 || exit 1 - - ' - get_prereq_command: 'echo ''T1070.006 reference file timestomp test'' > #{target_file_path} - - ' executor: - command: 'touch -acmr #{reference_file_path} #{target_file_path} - - ' + command: | + touch #{target_file_path} + touch -acmr #{reference_file_path} #{target_file_path} cleanup_command: 'rm -f #{target_file_path} ' diff --git a/atomics/Indexes/linux-index.yaml b/atomics/Indexes/linux-index.yaml index aef87993..493abefe 100644 --- a/atomics/Indexes/linux-index.yaml +++ b/atomics/Indexes/linux-index.yaml @@ -5705,20 +5705,10 @@ defense-evasion: description: Path of reference file to read timestamps from type: path default: "/bin/sh" - dependencies: - - description: 'The file must exist in order to be timestomped - - ' - prereq_command: 'test -e #{target_file_path} && exit 0 || exit 1 - - ' - get_prereq_command: 'echo ''T1070.006 reference file timestomp test'' > #{target_file_path} - - ' executor: - command: 'touch -acmr #{reference_file_path} #{target_file_path} - - ' + command: | + touch #{target_file_path} + touch -acmr #{reference_file_path} #{target_file_path} cleanup_command: 'rm -f #{target_file_path} ' diff --git a/atomics/Indexes/macos-index.yaml b/atomics/Indexes/macos-index.yaml index 57361ea2..96bf9226 100644 --- a/atomics/Indexes/macos-index.yaml +++ b/atomics/Indexes/macos-index.yaml @@ -5215,20 +5215,10 @@ defense-evasion: description: Path of reference file to read timestamps from type: path default: "/bin/sh" - dependencies: - - description: 'The file must exist in order to be timestomped - - ' - prereq_command: 'test -e #{target_file_path} && exit 0 || exit 1 - - ' - get_prereq_command: 'echo ''T1070.006 reference file timestomp test'' > #{target_file_path} - - ' executor: - command: 'touch -acmr #{reference_file_path} #{target_file_path} - - ' + command: | + touch #{target_file_path} + touch -acmr #{reference_file_path} #{target_file_path} cleanup_command: 'rm -f #{target_file_path} ' diff --git a/atomics/T1070.006/T1070.006.md b/atomics/T1070.006/T1070.006.md index b76a9563..500844b3 100644 --- a/atomics/T1070.006/T1070.006.md +++ b/atomics/T1070.006/T1070.006.md @@ -196,6 +196,7 @@ This technique was used by the threat actor Rocke during the compromise of Linux ```sh +touch #{target_file_path} touch -acmr #{reference_file_path} #{target_file_path} ``` @@ -206,18 +207,6 @@ rm -f #{target_file_path} -#### Dependencies: Run with `sh`! -##### Description: The file must exist in order to be timestomped -##### Check Prereq Commands: -```sh -test -e #{target_file_path} && exit 0 || exit 1 -``` -##### Get Prereq Commands: -```sh -echo 'T1070.006 reference file timestomp test' > #{target_file_path} -``` - -