LoFP / legitimate downloads of files in the tmp folder.

Techniques

• t1105

Sample rules

Wget Creating Files in Tmp Directory

• source: sigma
• technicques:
  • t1105

Description

Detects the use of wget to download content in a temporary directory such as “/tmp” or “/var/tmp”

Detection logic

condition: selection
selection:
  Image|endswith: /wget
  TargetFilename|startswith:
  - /tmp/
  - /var/tmp/