Processes executed from the /tmp/ directory may indicate adversary use of temporary directories to evade detection or persist across reboots, as attackers often leverage these locations for command and control or payload delivery. SOC teams should proactively hunt for such executions in Azure Sentinel to identify potential compromise and mitigate lateral movement risks.
Detection Rule
title: Potentially Suspicious Execution From Tmp Folder
id: 312b42b1-bded-4441-8b58-163a3af58775
status: test
description: Detects a potentially suspicious execution of a process located in the '/tmp/' folder
references:
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
- https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
- https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
- https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
modified: 2025-08-05
tags:
- attack.defense-evasion
- attack.t1036
logsource:
product: linux
category: process_creation
detection:
selection:
Image|startswith: '/tmp/'
filter_optional_nextcloud:
Image|endswith: '/usr/bin/nextcloud'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
imProcessCreate
| where TargetProcessName startswith "/tmp/" and (not(TargetProcessName endswith "/usr/bin/nextcloud"))Scenario: A system administrator is using tmpwatch to clean up temporary files.
Filter/Exclusion: Exclude processes with the full path /usr/sbin/tmpwatch or check for the presence of /tmp/ in the command line with tmpwatch as the parent process.
Scenario: A scheduled job runs a script that generates temporary files in /tmp/ for log processing.
Filter/Exclusion: Exclude processes initiated by cron or systemd-tmpfiles and filter for known log processing scripts (e.g., /usr/local/bin/log_cleanup.sh).
Scenario: A developer is testing a script that writes temporary files to /tmp/ during development.
Filter/Exclusion: Exclude processes with the user ID of the development team or filter for known development tools like npm, docker, or pytest.
Scenario: A legitimate application (e.g., nginx or mysql) creates temporary files in /tmp/ during operation.
Filter/Exclusion: Exclude processes with the full path to the application binaries (e.g., /usr/sbin/nginx, /usr/sbin/mysqld) or check for known temporary file patterns used by the application.
Scenario: A user is using tar or gzip to archive files and stores the output in /tmp/.
Filter/Exclusion: Exclude processes where the command line includes tar or gzip and the output file is in /tmp/, or filter for known archiving tasks.