Lace Tempest PowerShell Evidence Eraser
Detects a PowerShell script used by Lace Tempest APT to erase evidence from victim servers by exploiting CVE-2023-47246 as reported by SysAid Team
Sigma rule (View on GitHub)
1title: Lace Tempest PowerShell Evidence Eraser
2id: b377ddab-502d-4519-9e8c-5590033d2d70
3status: test
4description: |
5 Detects a PowerShell script used by Lace Tempest APT to erase evidence from victim servers by exploiting CVE-2023-47246 as reported by SysAid Team
6references:
7 - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2023-11-09
10tags:
11 - attack.execution
12 - attack.t1059.001
13 - detection.emerging-threats
14logsource:
15 product: windows
16 category: ps_script
17 definition: 'Requirements: Script Block Logging must be enabled'
18detection:
19 selection:
20 ScriptBlockText|contains|all:
21 - 'cleanLL'
22 - 'usersfiles.war'
23 - 'Remove-Item -Path "$tomcat_dir'
24 - 'SysAidServer'
25 - 'sleep '
26 - 'while(1)'
27 condition: selection
28falsepositives:
29 - Unlikely
30level: high
References
-
SysAid On-Prem Software CVE-2023-47246 Vulnerability - Learn about the security flaw in SysAid's on-premises software version.
Read More
Related rules
- Lace Tempest PowerShell Launcher
- UNC2452 Process Creation Patterns
- ChromeLoader Malware Execution
- Raspberry Robin Initial Execution From External Drive
- Raspberry Robin Subsequent Execution of Commands