Lace Tempest Cobalt Strike Download

Detects specific command line execution used by Lace Tempest to download Cobalt Strike as reported by SysAid Team

Sigma rule (View on GitHub)

 1title: Lace Tempest Cobalt Strike Download
 2id: aa5b0a40-ed88-46aa-9fdc-0337b379ca9d
 3status: test
 4description: Detects specific command line execution used by Lace Tempest to download Cobalt Strike as reported by SysAid Team
 5references:
 6    - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023-11-09
 9tags:
10    - attack.execution
11    - detection.emerging-threats
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    selection:
17        CommandLine|contains|all:
18            - -nop -w hidden -c IEX ((new-object net.webclient).downloadstring(
19            - /a')
20    condition: selection
21falsepositives:
22    - Unlikely
23level: high

References

Related rules

to-top