Skip to content
Threat Feed
medium advisory

File Creation in World-Writable Directory by Unusual Process

An Elastic detection rule identifies when an unusual process creates files within world-writable directories on Linux systems, a tactic employed by attackers for defense evasion and lateral movement by staging payloads and hiding malicious activities.

This threat brief details a common defense evasion technique used by attackers on Linux systems: creating files in world-writable directories (such as /tmp, /var/tmp, /run, or /dev/shm) via an unusual process. Threat actors leverage these directories, which are commonly used for temporary storage, to hide their activities and stage payloads because they allow many users and services to write to them without requiring elevated privileges. This behavior is often a precursor or indicator of lateral movement within a network, where an attacker might drop an ELF backdoor or helper scripts to establish persistence or execute further malicious commands. Identifying such activity is crucial for defenders as it can signal an active compromise and an attacker's attempt to evade detection and expand their foothold.

Attack Chain

  1. Initial Access: An attacker gains initial access to a Linux system, potentially through a compromised service, vulnerable application, or stolen credentials.
  2. Execution: The attacker executes a command or process, which is often unusual or originates from an unexpected location, to prepare for payload staging.
  3. Defense Evasion - File Creation: The unusual process (e.g., curl, python, cp, mv) creates a new file (e.g., an ELF backdoor, malicious script) within a world-writable directory like /dev/shm or /tmp.
  4. Defense Evasion - Persistence/Execution: The newly created file, often designed as a backdoor or a staging script, is then executed from this transient path to establish persistence or perform further malicious actions.
  5. Command and Control: The executed payload establishes a C2 channel to external infrastructure, allowing the attacker to remotely control the compromised system.
  6. Lateral Movement: Using the established C2, the attacker employs the foothold to move laterally across the network, seeking out high-value targets or additional systems to compromise.
  7. Impact: The attacker achieves their final objective, which could include data exfiltration, deployment of ransomware, or maintaining long-term access to the network.

Impact

If this defense evasion technique is successful, attackers can effectively hide malicious files, establish persistence, and facilitate lateral movement across a network, leading to broader compromise. This can result in unauthorized data access, intellectual property theft, system disruption, or deployment of ransomware. The ability to covertly stage and execute payloads from common temporary directories makes it harder for defenders to distinguish malicious activity from legitimate system operations, increasing the risk of undetected breaches and prolonged dwell times.

Recommendation

  • Deploy the provided Sigma rule to your SIEM and ensure file_event logging, specifically for file creation events, is enabled for Linux systems.
  • Review alerts generated by the "File Creation in World-Writable Directory by Unusual Process" rule, focusing on the process.name, process.executable, and file.path fields.
  • Investigate the full process lineage and execution context around file creation events on Linux systems, specifically checking for parent processes originating from unusual locations as highlighted in the rule's logic.
  • Correlate alerts with nearby authentication, privilege escalation, and network activity on the same host to identify signs of compromise such as recent SSH access or outbound connections to untrusted infrastructure.
  • Validate whether observed activity aligns with known administrative or software deployment behavior; legitimate package installation and system updates often use temporary files, as discussed in the rule's false positive analysis.

Detection coverage 1

File Creation in World-Writable Directory by Unusual Process

medium

Detects the creation of files in world-writable directories (e.g., /tmp, /var/tmp, /dev/shm) by processes with unusual names or executables, indicating defense evasion or payload staging on Linux systems.

sigma tactics: defense_evasion techniques: T1222.002 sources: file_event, linux

Detection queries are available on the platform. Get full rules →