Program Executions in Suspicious Folders

calendar Feb 1, 2023 · attack.t1587 attack.t1584 attack.resource_development  ·
Share on: linkedin copy

Detects program executions in suspicious non-program folders related to malware or hacking activity

Sigma rule (View on GitHub)

 1title: Program Executions in Suspicious Folders
 2id: a39d7fa7-3fbd-4dc2-97e1-d87f546b1bbc
 3status: test
 4description: Detects program executions in suspicious non-program folders related to malware or hacking activity
 5references:
 6    - Internal Research
 7author: Florian Roth (Nextron Systems)
 8date: 2018/01/23
 9modified: 2021/11/27
10tags:
11    - attack.t1587
12    - attack.t1584
13    - attack.resource_development
14logsource:
15    product: linux
16    service: auditd
17detection:
18    selection:
19        type: 'SYSCALL'
20        exe|startswith:
21            # Temporary folder
22            - '/tmp/'
23            # Web server
24            - '/var/www/'              # Standard
25            - '/home/*/public_html/'   # Per-user
26            - '/usr/local/apache2/'    # Classical Apache
27            - '/usr/local/httpd/'      # Old SuSE Linux 6.* Apache
28            - '/var/apache/'           # Solaris Apache
29            - '/srv/www/'              # SuSE Linux 9.*
30            - '/home/httpd/html/'      # Redhat 6 or older Apache
31            - '/srv/http/'             # ArchLinux standard
32            - '/usr/share/nginx/html/' # ArchLinux nginx
33            # Data dirs of typically exploited services (incomplete list)
34            - '/var/lib/pgsql/data/'
35            - '/usr/local/mysql/data/'
36            - '/var/lib/mysql/'
37            - '/var/vsftpd/'
38            - '/etc/bind/'
39            - '/var/named/'
40    condition: selection
41falsepositives:
42    - Admin activity (especially in /tmp folders)
43    - Crazy web applications
44level: medium

References

Related rules

to-top