Detection rules › Sigma

Lace Tempest Malware Loader Execution

Status
test
Severity
high
Author
Nasreddine Bencherchali (Nextron Systems)
Source
github.com/SigmaHQ/sigma

Detects execution of a specific binary based on filename and hash used by Lace Tempest to load additional malware as reported by SysAid Team

Event coverage

ProviderEventTitle
SysmonEvent ID 1Process creation

Rule body yaml

title: Lace Tempest Malware Loader Execution
id: 745ea50b-9673-4ba7-9426-cb45cf4a8e6d
status: test
description: Detects execution of a specific binary based on filename and hash used by Lace Tempest to load additional malware as reported by SysAid Team
references:
    - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-11-09
tags:
    - attack.execution
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith: ':\Program Files\SysAidServer\tomcat\webapps\usersfiles\user.exe'
    selection_hash:
        Hashes|contains: 'SHA256=B5ACF14CDAC40BE590318DEE95425D0746E85B1B7B1CBD14DA66F21F2522BF4D'
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: high

Stages and Predicates

Stage 0: condition

1 of selection_*

Stage 1: selection_img

selection_img:
    Image|endswith: ':\Program Files\SysAidServer\tomcat\webapps\usersfiles\user.exe'

Stage 2: selection_hash

selection_hash:
    Hashes|contains: 'SHA256=B5ACF14CDAC40BE590318DEE95425D0746E85B1B7B1CBD14DA66F21F2522BF4D'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Hashesmatch
  • SHA256=B5ACF14CDAC40BE590318DEE95425D0746E85B1B7B1CBD14DA66F21F2522BF4D
Imageends_with
  • :\Program Files\SysAidServer\tomcat\webapps\usersfiles\user.exe