From 4ba778f030cbb83341aa16d1815abe2bca3728ff Mon Sep 17 00:00:00 2001
From: swachchhanda000 <swachchhandashrawan@gmail.com>
Date: Fri, 8 Aug 2025 15:01:07 +0545
Subject: [PATCH] fix: potentially suspicious execution from tmp folder -
 nextcloud fp from tmp folder

---
 .../proc_creation_lnx_susp_execution_tmp_folder.yml          | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml b/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml
index aa8b8c614..1d9228cf6 100644
--- a/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml
+++ b/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml
@@ -9,6 +9,7 @@ references:
     - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
 author: Joseliyo Sanchez, @Joseliyo_Jstnk
 date: 2023-06-02
+modified: 2025-08-05
 tags:
     - attack.defense-evasion
     - attack.t1036
@@ -18,7 +19,9 @@ logsource:
 detection:
     selection:
         Image|startswith: '/tmp/'
-    condition: selection
+    filter_optional_nextcloud:
+        Image|endswith: '/usr/bin/nextcloud'
+    condition: selection and not 1 of filter_optional_*
 falsepositives:
     - Unknown
 level: high