Shell Execution Of Process Located In Tmp Directory

Detects execution of shells from a parent process located in a temporary (/tmp) directory

Sigma rule (View on GitHub)

 1title: Shell Execution Of Process Located In Tmp Directory
 2id: 2fade0b6-7423-4835-9d4f-335b39b83867
 3status: experimental
 4description: Detects execution of shells from a parent process located in a temporary (/tmp) directory
 5references:
 6    - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
 7    - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
 8    - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
 9    - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
10author: Joseliyo Sanchez, @Joseliyo_Jstnk
11date: 2023/06/02
12tags:
13    - attack.execution
14logsource:
15    product: linux
16    category: process_creation
17detection:
18    selection:
19        ParentImage|startswith: '/tmp/'
20        Image|endswith:
21            - '/bash'
22            - '/csh'
23            - '/dash'
24            - '/fish'
25            - '/ksh'
26            - '/sh'
27            - '/zsh'
28    condition: selection
29falsepositives:
30    - Unknown
31level: high

References

Related rules

to-top