This note documents detection patterns related to Suspicious Tmp Payloads on Linux systems.
Direct Indicators
| Source | Grep Pattern / Artifact | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
/tmp | Newly created executable file | Temporary payload staged | Critical | Very common attacker location. |
/var/tmp | Executable binary or script | Persistent temp staging | Critical | Survives reboot unlike /tmp. |
/dev/shm | Executable file | Memory-backed stealth payload | Critical | High stealth value. |
| File mode | executable bit set | Payload prepared for execution | Critical | Strong malicious indicator when recent. |
| File name | hidden or service-like name | Camouflage | High | Common names: .sys, .cache, dbus-update. |
| File type | ELF binary in temp | Native payload | Critical | Strong execution artifact. |
| File type | shell / python / perl script | Script payload | Critical | Common quick-stage payload. |
| Shell history | execute temp file | Payload launched | Critical | Strong operator evidence. |
| Shell history | chmod +x /tmp/... | Execution prep | Critical | Classic staging step. |
auditd | execve from temp path | Process truth | Critical | Best attribution if enabled. |
journalctl | process from temp path | Runtime clue | High | Depends on host logging. |
| Network telemetry | temp process opens socket | Active payload | Critical | Strong compromise signal. |
| File timestamps | recent temp creation | Timeline anchor | Critical | Correlates with intrusion window. |
| Deleted temp inode remnants | payload removed after use | High | Indicates cleanup attempt. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Temp payload after SSH login | Manual staging | Critical | Common attacker progression. |
| Temp payload after downloader | Stage-to-execute chain | Critical | Strong intrusion sequence. |
| Temp payload plus cron/service | Persistence link | Critical | Payload operationalized. |
| Hidden dotfile in temp | Basic stealth | High | Frequently overlooked. |
| Temp binary with root owner | Privileged execution | Critical | High severity. |
| Temp script references external IP | Callback logic | Critical | Strong malicious signal. |
| Temp file plus deleted shell history | Cleanup behavior | High | Operator discipline clue. |
| Temp payload reappears repeatedly | Re-staging or cron re-fetch | High | Durability pattern. |
| Temp file name mimics daemon | Camouflage | High | Common stealth pattern. |
| Temp payload launched by service account | Exploitation chain | Critical | Often web compromise signal. |
Common Tools
| Tool | Usage |
|---|---|
chmod +x | Make payload executable. |
./payload | Direct local execution. |
nohup | Background temp payload. |
setsid | Detached execution. |
mv | Rename payload to stealthier name. |
rm | Cleanup after execution. |
Relevant Artifacts
| Artifact | Path / Command | Forensic Value | Notes |
|---|---|---|---|
| Temp directory | /tmp | Critical | Primary staging zone. |
| Persistent temp | /var/tmp | Critical | Common persistence-friendly staging. |
| Shared memory | /dev/shm | Critical | High stealth zone. |
| File metadata | stat | Critical | Timeline truth. |
| File type | file <payload> | Critical | Binary/script classification. |
| Strings | strings <payload> | High | Infra clues. |
| Shell history | .bash_history, .zsh_history | Critical | Launch evidence. |
| Audit logs | /var/log/audit/audit.log | Critical | Exec attribution. |
| Process tree | ps auxf | Critical | Live execution context. |
MITRE ATT&CK References
- T1105 Ingress Tool Transfer
- T1036 Masquerading
- T1059 Command and Scripting Interpreter
Decision Tree
-
Are temp files suspicious?
- Enumerate executables and recent files.
-
Which path hosts payload?
/tmp,/var/tmp,/dev/shm.
-
Was payload executed?
- Shell history, auditd, process traces.
-
Does payload connect outward?
- Network sockets, strings, config.
-
Is persistence linked?
- Cron, services, startup files.
-
Pivot
- File → strings/hash.
- Timestamp → intrusion timeline.
- Owner → privilege context.
-
Confirm payload
- Recent executable temp file + execution evidence = strong malicious staging.
Example Detection Templates
Grep
find /tmp /var/tmp /dev/shm -type f -perm /111 2>/dev/null
find /tmp /var/tmp /dev/shm -type f -name ".*" 2>/dev/null
grep -R "/tmp/\|/var/tmp/\|/dev/shm/" /home/*/.bash_history /root/.bash_history 2>/dev/null
Journalctl
journalctl | grep -E "/tmp|/var/tmp|/dev/shm"
File Inspection
find /tmp /var/tmp /dev/shm -type f -printf '%TY-%Tm-%Td %TT %p\n' 2>/dev/null | sort
file /tmp/* /var/tmp/* /dev/shm/* 2>/dev/null
Sigma
title: Linux Suspicious Temp Payloads
id: linux-suspicious-temp-payloads
status: experimental
description: Detects suspicious executable payloads staged in temporary Linux directories
logsource:
product: linux
detection:
selection_keywords:
message|contains:
- '/tmp'
- '/var/tmp'
- '/dev/shm'
condition: selection_keywords
fields:
- message
- hostname
falsepositives:
- Legitimate installer temp artifacts
level: high
tags:
- attack.execution
- attack.t1105
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Temp execution control | Mount temp dirs noexec where possible | Critical | Major reduction in payload utility. |
| File monitoring | Watch temp dirs for executables | Critical | Strong invariant detection. |
| Auditd | Track execve from temp paths | High | Strong attribution. |
| Least privilege | Restrict service account temp execution | High | Limits exploitation paths. |
| Cleanup policy | Preserve suspicious temp artifacts before cleanup | High | Important forensic retention. |
Fast Triage Checks
| Question | Command / Artifact | Why It Matters |
|---|---|---|
| Any executable temp files? | find temp executables | Immediate payload check. |
| Which file is newest? | sort timestamps | Timeline anchor. |
| Is payload hidden? | inspect dotfiles | Stealth clue. |
| Was payload launched? | shell history / auditd | Execution proof. |
| Does payload connect out? | strings / sockets | C2 clue. |
| Is persistence linked? | inspect cron/services | Operationalization. |
High Value Grep Strings
| Pattern | Why It Matters |
|---|---|
/tmp/ | Primary staging path. |
/var/tmp/ | Persistent temp path. |
/dev/shm/ | Memory-backed stealth path. |
chmod +x | Execution prep. |
nohup | Detached execution. |
setsid | Detached execution. |
rm /tmp/ | Cleanup clue. |
Analyst Notes
| Scenario | Interpretation |
|---|---|
ELF in /dev/shm | High stealth operator staging. |
| Hidden dotfile in temp | Simple camouflage. |
| Temp payload plus callback | Strong active compromise. |
| Temp file deleted quickly | Cleanup attempt likely. |
| Temp payload owned by root | Privileged execution path. |
| Temp payload plus cron | Persistence operationalized. |