heroui logo

Potentially Suspicious Execution From Tmp Folder

Sigma Rules

View Source
Summary
This detection rule identifies potentially suspicious execution of processes located in the '/tmp/' directory on Linux systems. The '/tmp/' directory is often used for temporary file storage by applications and processes; however, it is also commonly exploited by attackers to execute malicious scripts or executables in an attempt to evade detection. This rule focuses on processes whose execution images start with '/tmp/', indicating that they originated from this less monitored directory. By monitoring such executions, administrators can potentially uncover malicious activity, particularly from malware that uses this directory as a staging area for execution. The detection is triggered when the specified selection condition is met, allowing for high-level alerts for potentially malicious behavior originating from the '/tmp/' folder, thereby assisting in proactive defense measures against threats like GobRAT malware and others referenced in the provided links.
Categories
  • Linux
  • Endpoint
Data Sources
  • Process
Created: 2023-06-02