Unusual Process Execution - Temp
Identifies processes running in a temporary folder. This is sometimes done by adversaries to hide malware.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/02/18"
3deprecation_date = "2022/07/25"
4maturity = "deprecated"
5updated_date = "2022/07/25"
6
7[rule]
8author = ["Elastic"]
9description = "Identifies processes running in a temporary folder. This is sometimes done by adversaries to hide malware."
10false_positives = [
11 """
12 Build systems, like Jenkins, may start processes in the `/tmp` directory. These can be exempted by name or by
13 username.
14 """,
15]
16from = "now-9m"
17index = ["auditbeat-*", "logs-endpoint.events.*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "Unusual Process Execution - Temp"
21risk_score = 47
22rule_id = "df959768-b0c9-4d45-988c-5606a2be8e5a"
23severity = "medium"
24tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution"]
25timestamp_override = "event.ingested"
26type = "query"
27
28query = '''
29event.category:process and event.type:(start or process_started) and process.working_directory:/tmp and
30 not process.parent.name:(update-motd-updates-available or
31 apt or apt-* or
32 cnf-update-db or
33 appstreamcli or
34 unattended-upgrade or
35 packagekitd) and
36 not process.args:(/usr/lib/update-notifier/update-motd-updates-available or
37 /var/lib/command-not-found/)
38'''
39
40
41[[rule.threat]]
42framework = "MITRE ATT&CK"
43
44[rule.threat.tactic]
45id = "TA0002"
46name = "Execution"
47reference = "https://attack.mitre.org/tactics/TA0002/"
Related rules
- Linux Restricted Shell Breakout via apt/apt-get Changelog Escape
- Linux Restricted Shell Breakout via awk Commands
- Linux Restricted Shell Breakout via busybox Shell Evasion
- Linux Restricted Shell Breakout via c89/c99 Shell evasion
- Linux Restricted Shell Breakout via cpulimit Shell Evasion