title: Program Executions in Suspicious Folders
id: a39d7fa7-3fbd-4dc2-97e1-d87f546b1bbc
status: experimental
description: Detects program executions in suspicious non-program folders related to malware or hacking activity
references:
    - Internal Research
date: 2018/01/23
author: Florian Roth
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: 'SYSCALL'
        exe:
            # Temporary folder
            - '/tmp/*'
            # Web server 
            - '/var/www/*'              # Standard
            - '/home/*/public_html/*'   # Per-user
            - '/usr/local/apache2/*'    # Classical Apache
            - '/usr/local/httpd/*'      # Old SuSE Linux 6.* Apache
            - '/var/apache/*'           # Solaris Apache
            - '/srv/www/*'              # SuSE Linux 9.*
            - '/home/httpd/html/*'      # Redhat 6 or older Apache
            - '/srv/http/*'             # ArchLinux standard
            - '/usr/share/nginx/html/*' # ArchLinux nginx
            # Data dirs of typically exploited services (incomplete list)
            - '/var/lib/pgsql/data/*'
            - '/usr/local/mysql/data/*'
            - '/var/lib/mysql/*'
            - '/var/vsftpd/*'
            - '/etc/bind/*'
            - '/var/named/*'
    condition: selection
falsepositives:
    - Admin activity (especially in /tmp folders)
    - Crazy web applications
level: medium