Potentially Suspicious Execution From Tmp Folder

Rule Info

Name
Potentially Suspicious Execution From Tmp Folder
Author
Joseliyo Sanchez, @Joseliyo_Jstnk
Description
Detects a potentially suspicious execution of a process located in the '/tmp/' folder
Reference
https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
Date
2023-06-02 00:00:00
Modified
None
Id
312b42b1-bded-4441-8b58-163a3af58775
Tags
attack.defense_evasion attack.t1036 DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=312b42b1-bded-4441-8b58-163a3af58775

Rule History

Author
Title
Date
Commit
github-actions[bot]
Merge PR #4791 from @nasbench - Promote older rules status from `experimental` to `test`
2024-04-01
a8e1ecd65
Tessa Georgen
Merge PR #4392 from @tjgeorgen - Update MITRE Tags
2023-08-28
60b8e9b70
jstnk9
feat: new linux rules related to GobRAT malware (#4272)
2023-06-02
04cf7e9ea
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022