Lace Tempest PowerShell Launcher
Detects a PowerShell script used by Lace Tempest APT to launch their malware loader by exploiting CVE-2023-47246 as reported by SysAid Team
Sigma rule (View on GitHub)
1title: Lace Tempest PowerShell Launcher
2id: 37dc5463-f7e3-4f61-ad76-ba59cd02a651
3status: test
4description: |
5 Detects a PowerShell script used by Lace Tempest APT to launch their malware loader by exploiting CVE-2023-47246 as reported by SysAid Team
6references:
7 - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2023-11-09
10tags:
11 - attack.execution
12 - attack.t1059.001
13 - detection.emerging-threats
14logsource:
15 product: windows
16 category: ps_script
17 definition: 'Requirements: Script Block Logging must be enabled'
18detection:
19 selection:
20 ScriptBlockText|contains|all:
21 - '\SysAidServer\tomcat\webapps'
22 - 'Starting user.exe'
23 - '\usersfiles\user.exe'
24 - 'Remove-Item -Force "$wapps'
25 - '(Sophos).'
26 condition: selection
27falsepositives:
28 - Unlikely
29level: high
References
-
SysAid On-Prem Software CVE-2023-47246 Vulnerability - Learn about the security flaw in SysAid's on-premises software version.
Read More
Related rules
- Lace Tempest PowerShell Evidence Eraser
- UNC2452 Process Creation Patterns
- ChromeLoader Malware Execution
- Raspberry Robin Initial Execution From External Drive
- Raspberry Robin Subsequent Execution of Commands