Program Executions in Suspicious Folders
Detects program executions in suspicious non-program folders related to malware or hacking activity
Sigma rule (View on GitHub)
1title: Program Executions in Suspicious Folders
2id: a39d7fa7-3fbd-4dc2-97e1-d87f546b1bbc
3status: test
4description: Detects program executions in suspicious non-program folders related to malware or hacking activity
5references:
6 - Internal Research
7author: Florian Roth (Nextron Systems)
8date: 2018-01-23
9modified: 2021-11-27
10tags:
11 - attack.t1587
12 - attack.t1584
13 - attack.resource-development
14logsource:
15 product: linux
16 service: auditd
17detection:
18 selection:
19 type: 'SYSCALL'
20 exe|startswith:
21 # Temporary folder
22 - '/tmp/'
23 # Web server
24 - '/var/www/' # Standard
25 - '/home/*/public_html/' # Per-user
26 - '/usr/local/apache2/' # Classical Apache
27 - '/usr/local/httpd/' # Old SuSE Linux 6.* Apache
28 - '/var/apache/' # Solaris Apache
29 - '/srv/www/' # SuSE Linux 9.*
30 - '/home/httpd/html/' # Redhat 6 or older Apache
31 - '/srv/http/' # ArchLinux standard
32 - '/usr/share/nginx/html/' # ArchLinux nginx
33 # Data dirs of typically exploited services (incomplete list)
34 - '/var/lib/pgsql/data/'
35 - '/usr/local/mysql/data/'
36 - '/var/lib/mysql/'
37 - '/var/vsftpd/'
38 - '/etc/bind/'
39 - '/var/named/'
40 condition: selection
41falsepositives:
42 - Admin activity (especially in /tmp folders)
43 - Crazy web applications
44level: medium
References
Related rules
- FoggyWeb Backdoor DLL Loading
- HackTool - PurpleSharp Execution
- Suspicious Word Cab File Write CVE-2021-40444
- Windows Update Error
- Bitbucket Unauthorized Access To A Resource