diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml b/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml
index aa8b8c614..1d9228cf6 100644
--- a/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml
+++ b/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml
@@ -9,6 +9,7 @@ references:
     - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
 author: Joseliyo Sanchez, @Joseliyo_Jstnk
 date: 2023-06-02
+modified: 2025-08-05
 tags:
     - attack.defense-evasion
     - attack.t1036
@@ -18,7 +19,9 @@ logsource:
 detection:
     selection:
         Image|startswith: '/tmp/'
-    condition: selection
+    filter_optional_nextcloud:
+        Image|endswith: '/usr/bin/nextcloud'
+    condition: selection and not 1 of filter_optional_*
 falsepositives:
     - Unknown
 level: high