Suspicious process execution from tmp folder

Cortex XSIAM Analytics Alert Reference by Alert name
Product
Cortex XSIAM
Last date published
2026-01-04
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent

Detection Modules

Detector Tags

Kubernetes - AGENT, Containers

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Hide Artifacts: Hidden Files and Directories (T1564.001)

Severity

Informational

Response playbooks

Suspicious execution from tmp folder

Description

An unpopular process was executed from the tmp folder.

Attacker's Goals

Attackers may try to run the executable application from a folder that is writable to all users and use it to avoid detection.

Investigative actions

  • Verify that this isn't IT activity.
  • Look for other hosts executing similar commands.

Variations

A web server process executed an unpopular application from the tmp folder

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Hide Artifacts: Hidden Files and Directories (T1564.001)

Severity

Medium

Response playbooks

Suspicious execution from tmp folder

Description

An executable application ran from the tmp folder by a web server process.

Attacker's Goals

Attackers may try to run the executable application from a folder that is writable to all users and use it to avoid detection.

Investigative actions

  • Verify that this isn't IT activity.
  • Look for other hosts executing similar commands.


Suspicious cron job task execution of a binary from the tmp folder

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Hide Artifacts: Hidden Files and Directories (T1564.001)

Severity

Medium

Response playbooks

Suspicious execution from tmp folder

Description

An unpopular process was executed from the tmp folder.

Attacker's Goals

Attackers may try to run the executable application from a folder that is writable to all users and use it to avoid detection.

Investigative actions

  • Verify that this isn't IT activity.
  • Look for other hosts executing similar commands.


Suspicious interactive execution of a binary from the tmp folder

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Hide Artifacts: Hidden Files and Directories (T1564.001)

Severity

Medium

Response playbooks

Suspicious execution from tmp folder

Description

An unpopular process was executed from the tmp folder.

Attacker's Goals

Attackers may try to run the executable application from a folder that is writable to all users and use it to avoid detection.

Investigative actions

  • Verify that this isn't IT activity.
  • Look for other hosts executing similar commands.


Suspicious process execution from tmp folder in a Kubernetes pod

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Hide Artifacts: Hidden Files and Directories (T1564.001)

Severity

Informational

Description

An unpopular process was executed from the tmp folder.

Attacker's Goals

Attackers may try to run the executable application from a folder that is writable to all users and use it to avoid detection.

Investigative actions

  • Verify that this isn't IT activity.
  • Look for other hosts executing similar commands.