fix: potentially suspicious execution from tmp folder - nextcloud fp from tmp folder

2025-08-08 15:01:07 +05:45
parent bf077aac7d
commit 4ba778f030
1 changed files with 4 additions and 1 deletions
@@ -9,6 +9,7 @@ references:
    - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
 author: Joseliyo Sanchez, @Joseliyo_Jstnk
 date: 2023-06-02
+modified: 2025-08-05
 tags:
    - attack.defense-evasion
    - attack.t1036
@@ -18,7 +19,9 @@ logsource:
 detection:
    selection:
        Image|startswith: '/tmp/'
-    condition: selection
+    filter_optional_nextcloud:
+        Image|endswith: '/usr/bin/nextcloud'
+    condition: selection and not 1 of filter_optional_*
 falsepositives:
    - Unknown
 level: high