build systems, like jenkins, may start processes in the `/tmp` directory. these can be exempted by name or by username.

_deprecated
elastic

Techniques

Sample rules

Unusual Process Execution - Temp

source: elastic
technicques:

Description

Identifies processes running in a temporary folder. This is sometimes done by adversaries to hide malware.

Detection logic

event.category:process and event.type:(start or process_started) and process.working_directory:/tmp and
  not process.parent.name:(update-motd-updates-available or
                           apt or apt-* or
                           cnf-update-db or
                           appstreamcli or
                           unattended-upgrade or
                           packagekitd) and
  not process.args:(/usr/lib/update-notifier/update-motd-updates-available or
                    /var/lib/command-not-found/)