Lace Tempest File Indicators
Detects PowerShell script file creation with specific names or suffixes which was seen being used often in PowerShell scripts by FIN7
Sigma rule (View on GitHub)
1title: Lace Tempest File Indicators
2id: e94486ea-2650-4548-bf25-88cbd0bb32d7
3status: experimental
4description: Detects PowerShell script file creation with specific names or suffixes which was seen being used often in PowerShell scripts by FIN7
5references:
6 - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023/11/09
9tags:
10 - attack.execution
11 - detection.emerging_threats
12logsource:
13 category: file_event
14 product: windows
15detection:
16 selection:
17 - TargetFilename|endswith:
18 - ':\Program Files\SysAidServer\tomcat\webapps\usersfiles\user.exe'
19 - ':\Program Files\SysAidServer\tomcat\webapps\usersfiles.war'
20 - ':\Program Files\SysAidServer\tomcat\webapps\leave'
21 - TargetFilename|contains: ':\Program Files\SysAidServer\tomcat\webapps\user.'
22 condition: selection
23falsepositives:
24 - Unlikely
25level: high
References
-
SysAid On-Prem Software CVE-2023-47246 Vulnerability - Learn about the security flaw in SysAid's on-premises software version.
Read More
Related rules
- Lace Tempest Cobalt Strike Download
- Lace Tempest Malware Loader Execution
- Lace Tempest PowerShell Evidence Eraser
- Lace Tempest PowerShell Launcher
- Diamond Sleet APT File Creation Indicators