Lace Tempest Malware Loader Execution
Detects execution of a specific binary based on filename and hash used by Lace Tempest to load additional malware as reported by SysAid Team
Sigma rule (View on GitHub)
1title: Lace Tempest Malware Loader Execution
2id: 745ea50b-9673-4ba7-9426-cb45cf4a8e6d
3status: test
4description: Detects execution of a specific binary based on filename and hash used by Lace Tempest to load additional malware as reported by SysAid Team
5references:
6 - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-11-09
9tags:
10 - attack.execution
11 - detection.emerging-threats
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection_img:
17 Image|endswith: ':\Program Files\SysAidServer\tomcat\webapps\usersfiles\user.exe'
18 selection_hash:
19 Hashes|contains: 'SHA256=B5ACF14CDAC40BE590318DEE95425D0746E85B1B7B1CBD14DA66F21F2522BF4D'
20 condition: 1 of selection_*
21falsepositives:
22 - Unlikely
23level: high
References
-
SysAid On-Prem Software CVE-2023-47246 Vulnerability - Learn about the security flaw in SysAid's on-premises software version.
Read More
Related rules
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)
- Lace Tempest Cobalt Strike Download
- Lace Tempest File Indicators
- Lace Tempest PowerShell Evidence Eraser