Suspicious process execution from tmp folder

Cortex XDR Analytics Alert Reference by data source
Product
Cortex XDR
Last date published
2026-01-14
Category
Analytics Alert Reference
Index by
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent

Detection Modules

Detector Tags

Kubernetes - AGENT, Containers

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Hide Artifacts: Hidden Files and Directories (T1564.001)

Severity

Informational

Response playbooks

Suspicious execution from tmp folder

Description

An unpopular process was executed from the tmp folder.

Attacker's Goals

Attackers may try to run the executable application from a folder that is writable to all users and use it to avoid detection.

Investigative actions

  • Verify that this isn't IT activity.
  • Look for other hosts executing similar commands.

Variations

A web server process executed an unpopular application from the tmp folder

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Hide Artifacts: Hidden Files and Directories (T1564.001)

Severity

Medium

Response playbooks

Suspicious execution from tmp folder

Description

An executable application ran from the tmp folder by a web server process.

Attacker's Goals

Attackers may try to run the executable application from a folder that is writable to all users and use it to avoid detection.

Investigative actions

  • Verify that this isn't IT activity.
  • Look for other hosts executing similar commands.


Suspicious cron job task execution of a binary from the tmp folder

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Hide Artifacts: Hidden Files and Directories (T1564.001)

Severity

Medium

Response playbooks

Suspicious execution from tmp folder

Description

An unpopular process was executed from the tmp folder.

Attacker's Goals

Attackers may try to run the executable application from a folder that is writable to all users and use it to avoid detection.

Investigative actions

  • Verify that this isn't IT activity.
  • Look for other hosts executing similar commands.


Suspicious interactive execution of a binary from the tmp folder

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Hide Artifacts: Hidden Files and Directories (T1564.001)

Severity

Medium

Response playbooks

Suspicious execution from tmp folder

Description

An unpopular process was executed from the tmp folder.

Attacker's Goals

Attackers may try to run the executable application from a folder that is writable to all users and use it to avoid detection.

Investigative actions

  • Verify that this isn't IT activity.
  • Look for other hosts executing similar commands.


Suspicious process execution from tmp folder in a Kubernetes pod

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Hide Artifacts: Hidden Files and Directories (T1564.001)

Severity

Informational

Description

An unpopular process was executed from the tmp folder.

Attacker's Goals

Attackers may try to run the executable application from a folder that is writable to all users and use it to avoid detection.

Investigative actions

  • Verify that this isn't IT activity.
  • Look for other hosts executing similar commands.