Detection rules › Sigma

Lace Tempest File Indicators

Status
test
Severity
high
Author
Nasreddine Bencherchali (Nextron Systems)
Source
github.com/SigmaHQ/sigma

Detects PowerShell script file creation with specific names or suffixes which was seen being used often in PowerShell scripts by FIN7

Event coverage

ProviderEventTitle
SysmonEvent ID 11FileCreate

Rule body yaml

title: Lace Tempest File Indicators
id: e94486ea-2650-4548-bf25-88cbd0bb32d7
status: test
description: Detects PowerShell script file creation with specific names or suffixes which was seen being used often in PowerShell scripts by FIN7
references:
    - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-11-09
tags:
    - attack.execution
    - detection.emerging-threats
logsource:
    category: file_event
    product: windows
detection:
    selection:
        - TargetFilename|endswith:
              - ':\Program Files\SysAidServer\tomcat\webapps\usersfiles\user.exe'
              - ':\Program Files\SysAidServer\tomcat\webapps\usersfiles.war'
              - ':\Program Files\SysAidServer\tomcat\webapps\leave'
        - TargetFilename|contains: ':\Program Files\SysAidServer\tomcat\webapps\user.'
    condition: selection
falsepositives:
    - Unlikely
level: high

Stages and Predicates

Stage 0: condition

selection

Stage 1: selection

selection:
    - TargetFilename|endswith:
          - ':\Program Files\SysAidServer\tomcat\webapps\usersfiles\user.exe'
          - ':\Program Files\SysAidServer\tomcat\webapps\usersfiles.war'
          - ':\Program Files\SysAidServer\tomcat\webapps\leave'
    - TargetFilename|contains: ':\Program Files\SysAidServer\tomcat\webapps\user.'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
TargetFilenameends_with
  • :\Program Files\SysAidServer\tomcat\webapps\leave
  • :\Program Files\SysAidServer\tomcat\webapps\usersfiles.war
  • :\Program Files\SysAidServer\tomcat\webapps\usersfiles\user.exe
TargetFilenamematch
  • :\Program Files\SysAidServer\tomcat\webapps\user.