Adversaries may execute shell commands from a process in the /tmp directory to evade detection and persist within the system. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential command and control activities or initial compromise vectors.
Detection Rule
title: Shell Execution Of Process Located In Tmp Directory
id: 2fade0b6-7423-4835-9d4f-335b39b83867
status: test
description: Detects execution of shells from a parent process located in a temporary (/tmp) directory
references:
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
- https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
- https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
- https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
- attack.execution
logsource:
product: linux
category: process_creation
detection:
selection:
ParentImage|startswith: '/tmp/'
Image|endswith:
- '/bash'
- '/csh'
- '/dash'
- '/fish'
- '/ksh'
- '/sh'
- '/zsh'
condition: selection
falsepositives:
- Unknown
level: high
imProcessCreate
| where (ParentProcessName startswith "/tmp/" or ActingProcessName startswith "/tmp/") and (TargetProcessName endswith "/bash" or TargetProcessName endswith "/csh" or TargetProcessName endswith "/dash" or TargetProcessName endswith "/fish" or TargetProcessName endswith "/ksh" or TargetProcessName endswith "/sh" or TargetProcessName endswith "/zsh")Scenario: A system administrator is using bash to run a one-off script located in /tmp for temporary testing or debugging.
Filter/Exclusion: Exclude processes where the parent process is a known administrative tool (e.g., systemd, sshd, or sudo) or where the command line includes -c with a known admin script path.
Scenario: A scheduled job (e.g., via cron or at) runs a script in /tmp to clean up temporary files or generate reports.
Filter/Exclusion: Exclude processes where the parent process is a cron daemon (cron) or where the command line includes a known cleanup script or report generation tool (e.g., logrotate, rsyslog).
Scenario: A developer is using tmux or screen to run a temporary shell session in /tmp for testing a local application.
Filter/Exclusion: Exclude processes where the parent process is a terminal multiplexer (tmux, screen) or where the command line includes a known development tool (e.g., node, python, npm).
Scenario: A legitimate system process (e.g., rsyslog, auditd, or logrotate) writes temporary files to /tmp and executes a shell command for processing.
Filter/Exclusion: Exclude processes where the parent process is a system service or daemon (e.g., rsyslogd, auditd, logrotate) or where the command line includes a known system utility.
Scenario: A user is using a temporary shell session (e.g., via ssh or su) to run a script in /tmp for a short-lived task.
Filter/Exclusion: Exclude processes where the parent process is an SSH daemon (sshd) or where the command