Potentially Suspicious Execution From Tmp Folder
Detects a potentially suspicious execution of a process located in the '/tmp/' folder
Sigma rule (View on GitHub)
1title: Potentially Suspicious Execution From Tmp Folder
2id: 312b42b1-bded-4441-8b58-163a3af58775
3status: test
4description: Detects a potentially suspicious execution of a process located in the '/tmp/' folder
5references:
6 - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
7 - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
8 - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
9 - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
10author: Joseliyo Sanchez, @Joseliyo_Jstnk
11date: 2023-06-02
12modified: 2025-08-05
13tags:
14 - attack.defense-evasion
15 - attack.t1036
16logsource:
17 product: linux
18 category: process_creation
19detection:
20 selection:
21 Image|startswith: '/tmp/'
22 filter_optional_nextcloud:
23 Image|endswith: '/usr/bin/nextcloud'
24 condition: selection and not 1 of filter_optional_*
25falsepositives:
26 - Unknown
27level: medium
References
-
JPCERT/CC has confirmed attacks that infected routers in Japan with malware around February 2023. This blog article explains the details of the attack confirmed by JPCERT/CC and GobRAT malware, which was used in the attack. ### Attack flow up to...
Read More -
-
Related rules
- Explorer Process Tree Break
- Potential LSASS Process Dump Via Procdump
- Suspicious Child Process Of Wermgr.EXE
- CreateDump Process Dump
- DumpMinitool Execution