← Back to Explore
sigmamediumHunting
Program Executions in Suspicious Folders
Detects program executions in suspicious non-program folders related to malware or hacking activity
Detection Query
selection:
type: SYSCALL
exe|startswith:
- /tmp/
- /var/www/
- /home/*/public_html/
- /usr/local/apache2/
- /usr/local/httpd/
- /var/apache/
- /srv/www/
- /home/httpd/html/
- /srv/http/
- /usr/share/nginx/html/
- /var/lib/pgsql/data/
- /usr/local/mysql/data/
- /var/lib/mysql/
- /var/vsftpd/
- /etc/bind/
- /var/named/
condition: selection
Author
Florian Roth (Nextron Systems)
Created
2018-01-23
Data Sources
linuxauditd
Platforms
linux
References
Tags
attack.t1587attack.t1584attack.resource-development
Raw Content
title: Program Executions in Suspicious Folders
id: a39d7fa7-3fbd-4dc2-97e1-d87f546b1bbc
status: test
description: Detects program executions in suspicious non-program folders related to malware or hacking activity
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2018-01-23
modified: 2021-11-27
tags:
- attack.t1587
- attack.t1584
- attack.resource-development
logsource:
product: linux
service: auditd
detection:
selection:
type: 'SYSCALL'
exe|startswith:
# Temporary folder
- '/tmp/'
# Web server
- '/var/www/' # Standard
- '/home/*/public_html/' # Per-user
- '/usr/local/apache2/' # Classical Apache
- '/usr/local/httpd/' # Old SuSE Linux 6.* Apache
- '/var/apache/' # Solaris Apache
- '/srv/www/' # SuSE Linux 9.*
- '/home/httpd/html/' # Redhat 6 or older Apache
- '/srv/http/' # ArchLinux standard
- '/usr/share/nginx/html/' # ArchLinux nginx
# Data dirs of typically exploited services (incomplete list)
- '/var/lib/pgsql/data/'
- '/usr/local/mysql/data/'
- '/var/lib/mysql/'
- '/var/vsftpd/'
- '/etc/bind/'
- '/var/named/'
condition: selection
falsepositives:
- Admin activity (especially in /tmp folders)
- Crazy web applications
level: medium