Lace Tempest File Indicators
Detects PowerShell script file creation with specific names or suffixes which was seen being used often in PowerShell scripts by FIN7
Sigma rule (View on GitHub)
1title: Lace Tempest File Indicators
2id: e94486ea-2650-4548-bf25-88cbd0bb32d7
3status: test
4description: Detects PowerShell script file creation with specific names or suffixes which was seen being used often in PowerShell scripts by FIN7
5references:
6 - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-11-09
9tags:
10 - attack.execution
11 - detection.emerging-threats
12logsource:
13 category: file_event
14 product: windows
15detection:
16 selection:
17 - TargetFilename|endswith:
18 - ':\Program Files\SysAidServer\tomcat\webapps\usersfiles\user.exe'
19 - ':\Program Files\SysAidServer\tomcat\webapps\usersfiles.war'
20 - ':\Program Files\SysAidServer\tomcat\webapps\leave'
21 - TargetFilename|contains: ':\Program Files\SysAidServer\tomcat\webapps\user.'
22 condition: selection
23falsepositives:
24 - Unlikely
25level: high
References
-
SysAid On-Prem Software CVE-2023-47246 Vulnerability - Learn about the security flaw in SysAid's on-premises software version.
Read More
Related rules
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)
- Lace Tempest Cobalt Strike Download
- Lace Tempest Malware Loader Execution
- Lace Tempest PowerShell Evidence Eraser