Detectionmediumtest
Program Executions in Suspicious Folders
Detects program executions in suspicious non-program folders related to malware or hacking activity
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Florian Roth (Nextron Systems)Created Tue Jan 23Updated Sat Nov 27a39d7fa7-3fbd-4dc2-97e1-d87f546b1bbclinux
Log Source
Linuxauditd
ProductLinux← raw: linux
Serviceauditd← raw: auditd
Detection Logic
Detection Logic1 selector
detection:
selection:
type: 'SYSCALL'
exe|startswith:
# Temporary folder
- '/tmp/'
# Web server
- '/var/www/' # Standard
- '/home/*/public_html/' # Per-user
- '/usr/local/apache2/' # Classical Apache
- '/usr/local/httpd/' # Old SuSE Linux 6.* Apache
- '/var/apache/' # Solaris Apache
- '/srv/www/' # SuSE Linux 9.*
- '/home/httpd/html/' # Redhat 6 or older Apache
- '/srv/http/' # ArchLinux standard
- '/usr/share/nginx/html/' # ArchLinux nginx
# Data dirs of typically exploited services (incomplete list)
- '/var/lib/pgsql/data/'
- '/usr/local/mysql/data/'
- '/var/lib/mysql/'
- '/var/vsftpd/'
- '/etc/bind/'
- '/var/named/'
condition: selectionFalse Positives
Admin activity (especially in /tmp folders)
Crazy web applications
References
1
Resolving title…
Internal ResearchMITRE ATT&CK
Rule Metadata
Rule ID
a39d7fa7-3fbd-4dc2-97e1-d87f546b1bbc
Status
test
Level
medium
Type
Detection
Created
Tue Jan 23
Modified
Sat Nov 27
Path
rules/linux/auditd/syscall/lnx_auditd_susp_exe_folders.yml
Raw Tags
attack.t1587attack.t1584attack.resource-development