SigmaHQ · nasbench · Nov 10, 2023 · Nov 8, 2023 · Nov 8, 2023 · Nov 10, 2023
diff --git a/rules-emerging-threats/2023/TA/Lace-Tempest/README.md b/rules-emerging-threats/2023/TA/Lace-Tempest/README.md
@@ -0,0 +1,17 @@
+# Lace Tempest SysAid CVE-2023-47246 Exploitation
+
+## Summary
+
+A zero-day vulnerability in the SysAid on-premises software was exploited by DEV-0950 (Lace Tempest). Where the threat actor uploaded a WAR archive containing a WebShell and other payloads into the webroot of the SysAid Tomcat web service. The WebShell provided the attacker with unauthorized access and control over the affected system. Subsequently, the attacker utilized a PowerShell script, deployed through the WebShell, to execute a malware loader named user.exe on the compromised host, which was used to load the GraceWire trojan
+
+You can find more information on the threat in the following articles:
+
+- [SysAid On-Prem Software CVE-2023-47246 Vulnerability](https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification)
+
+## Rules
+
+- [Lace Tempest File Indicators](./file_event_win_apt_lace_tempest_indicators.yml)
+- [Lace Tempest PowerShell Evidence Eraser](./posh_ps_apt_lace_tempest_eraser_script.yml)
+- [Lace Tempest PowerShell Launcher](./posh_ps_apt_lace_tempest_malware_launcher.yml)
+- [Lace Tempest Cobalt Strike Download](./proc_creation_win_apt_lace_tempest_cobalt_strike_download.yml)
+- [Lace Tempest Malware Loader Execution](./proc_creation_win_apt_lace_tempest_loader_execution.yml)
diff --git a/rules-emerging-threats/2023/TA/Lace-Tempest/file_event_win_apt_lace_tempest_indicators.yml b/rules-emerging-threats/2023/TA/Lace-Tempest/file_event_win_apt_lace_tempest_indicators.yml
@@ -0,0 +1,25 @@
+title: Lace Tempest File Indicators
+id: e94486ea-2650-4548-bf25-88cbd0bb32d7
+status: experimental
+description: Detects PowerShell script file creation with specific names or suffixes which was seen being used often in PowerShell scripts by FIN7
+references:
+    - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/11/09
+tags:
+    - attack.execution
+    - detection.emerging_threats
+logsource:
+    category: file_event
+    product: windows
+detection:
+    selection:
+        - TargetFilename|endswith:
+              - ':\Program Files\SysAidServer\tomcat\webapps\usersfiles\user.exe'
+              - ':\Program Files\SysAidServer\tomcat\webapps\usersfiles.war'
+              - ':\Program Files\SysAidServer\tomcat\webapps\leave'
+        - TargetFilename|contains: ':\Program Files\SysAidServer\tomcat\webapps\user.'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: high
diff --git a/rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_eraser_script.yml b/rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_eraser_script.yml
@@ -0,0 +1,30 @@
+title: Lace Tempest PowerShell Evidence Eraser
+id: b377ddab-502d-4519-9e8c-5590033d2d70
+status: experimental
+description: |
+    Detects a PowerShell script used by Lace Tempest APT to erase evidence from victim servers by exploiting CVE-2023-47246 as reported by SysAid Team
+references:
+    - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/11/09
+tags:
+    - attack.execution
+    - attack.t1059.001
+    - detection.emerging_threats
+logsource:
+    product: windows
+    category: ps_script
+    definition: 'Requirements: Script Block Logging must be enabled'
+detection:
+    selection:
+        ScriptBlockText|contains|all:
+            - 'cleanLL'
+            - 'usersfiles.war'
+            - 'Remove-Item -Path "$tomcat_dir'
+            - 'SysAidServer'
+            - 'sleep '
+            - 'while(1)'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: high
diff --git a/rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_malware_launcher.yml b/rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_malware_launcher.yml
@@ -0,0 +1,29 @@
+title: Lace Tempest PowerShell Launcher
+id: 37dc5463-f7e3-4f61-ad76-ba59cd02a651
+status: experimental
+description: |
+    Detects a PowerShell script used by Lace Tempest APT to launch their malware loader by exploiting CVE-2023-47246 as reported by SysAid Team
+references:
+    - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/11/09
+tags:
+    - attack.execution
+    - attack.t1059.001
+    - detection.emerging_threats
+logsource:
+    product: windows
+    category: ps_script
+    definition: 'Requirements: Script Block Logging must be enabled'
+detection:
+    selection:
+        ScriptBlockText|contains|all:
+            - '\SysAidServer\tomcat\webapps'
+            - 'Starting user.exe'
+            - '\usersfiles\user.exe'
+            - 'Remove-Item -Force "$wapps'
+            - '(Sophos).'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: high
diff --git a/...hreats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_cobalt_strike_download.yml b/...hreats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_cobalt_strike_download.yml
@@ -0,0 +1,23 @@
+title: Lace Tempest Cobalt Strike Download
+id: aa5b0a40-ed88-46aa-9fdc-0337b379ca9d
+status: experimental
+description: Detects specific command line execution used by Lace Tempest to download Cobalt Strike as reported by SysAid Team
+references:
+    - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/11/09
+tags:
+    - attack.execution
+    - detection.emerging_threats
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|contains|all:
+            - -nop -w hidden -c IEX ((new-object net.webclient).downloadstring(
+            - /a')
+    condition: selection
+falsepositives:
+    - Unlikely
+level: high
diff --git a/...ging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_loader_execution.yml b/...ging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_loader_execution.yml
@@ -0,0 +1,23 @@
+title: Lace Tempest Malware Loader Execution
+id: 745ea50b-9673-4ba7-9426-cb45cf4a8e6d
+status: experimental
+description: Detects execution of a specific binary based on filename and hash used by Lace Tempest to load additional malware as reported by SysAid Team
+references:
+    - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/11/09
+tags:
+    - attack.execution
+    - detection.emerging_threats
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        Image|endswith: ':\Program Files\SysAidServer\tomcat\webapps\usersfiles\user.exe'
+    selection_hash:
+        Hashes|contains: 'SHA256=B5ACF14CDAC40BE590318DEE95425D0746E85B1B7B1CBD14DA66F21F2522BF4D'
+    condition: 1 of selection_*
+falsepositives:
+    - Unlikely
+level: high
diff --git a/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml
@@ -1,10 +1,13 @@
-title: Suspicious Shells Spawned by Java
+title: Suspicious Processes Spawned by Java.EXE
 id: 0d34ed8b-1c12-4ff2-828c-16fc860b766d
+related:
+    - id: dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0
+      type: similar
 status: experimental
-description: Detects suspicious shell spawned from Java host process (e.g. log4j exploitation)
+description: Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j)
 author: Andreas Hunkeler (@Karneades), Florian Roth
 date: 2021/12/17
-modified: 2023/01/21
+modified: 2023/11/09
 tags:
     - attack.initial_access
     - attack.persistence
@@ -16,32 +19,30 @@ detection:
     selection:
         ParentImage|endswith: '\java.exe'
         Image|endswith:
-            - '\sh.exe'
+            - '\AppVLP.exe'
             - '\bash.exe'
-            - '\powershell.exe'
-            - '\pwsh.exe'
-            - '\schtasks.exe'
-            - '\certutil.exe'
-            - '\whoami.exe'
             - '\bitsadmin.exe'
-            - '\wscript.exe'
+            - '\certutil.exe'
             - '\cscript.exe'
-            - '\scrcons.exe'
-            - '\regsvr32.exe'
-            - '\hh.exe'
-            - '\wmic.exe'        # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
-            - '\mshta.exe'
-            - '\rundll32.exe'
+            - '\curl.exe'
             - '\forfiles.exe'
-            - '\scriptrunner.exe'
+            - '\hh.exe'
             - '\mftrace.exe'
-            - '\AppVLP.exe'
-            - '\curl.exe'
-            - '\systeminfo.exe'
+            - '\mshta.exe'
             - '\net.exe'
             - '\net1.exe'
-            - '\reg.exe'
             - '\query.exe'
+            - '\reg.exe'
+            - '\regsvr32.exe'
+            - '\rundll32.exe'
+            - '\schtasks.exe'
+            - '\scrcons.exe'
+            - '\scriptrunner.exe'
+            - '\sh.exe'
+            - '\systeminfo.exe'
+            - '\whoami.exe'
+            - '\wmic.exe'        # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
+            - '\wscript.exe'
     condition: selection
 falsepositives:
     - Legitimate calls to system binaries

diff --git a/rules/windows/process_creation/proc_creation_win_java_susp_child_process_2.yml b/rules/windows/process_creation/proc_creation_win_java_susp_child_process_2.yml
@@ -1,10 +1,13 @@
-title: Shells Spawned by Java
+title: Shell Process Spawned by Java.EXE
 id: dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0
+related:
+    - id: 0d34ed8b-1c12-4ff2-828c-16fc860b766d
+      type: similar
 status: test
 description: Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)
 author: Andreas Hunkeler (@Karneades), Nasreddine Bencherchali
 date: 2021/12/17
-modified: 2022/07/27
+modified: 2023/11/09
 tags:
     - attack.initial_access
     - attack.persistence
@@ -19,10 +22,10 @@ detection:
             - '\cmd.exe'
             - '\powershell.exe'
             - '\pwsh.exe'
-    filter:
+    filter_main_build:
         ParentImage|contains: 'build'  # excluding CI build agents
         CommandLine|contains: 'build'  # excluding CI build agents
-    condition: selection and not filter
+    condition: selection and not 1 of filter_main_*
 falsepositives:
     - Legitimate calls to system binaries
     - Company specific internal usage

diff --git a/rules/windows/process_creation/proc_creation_win_webshell_chopper.yml b/rules/windows/process_creation/proc_creation_win_webshell_chopper.yml
@@ -29,7 +29,7 @@ detection:
             - '&dir&echo'
             - '&echo [E]'
             - '&echo [S]'
-    condition: all of selection*
+    condition: all of selection_*
 falsepositives:
     - Unknown
 level: high
diff --git a/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml b/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml
@@ -1,12 +1,13 @@
 title: Webshell Hacking Activity Patterns
 id: 4ebc877f-4612-45cb-b3a5-8e3834db36c9
 status: test
-description: Detects certain parent child patterns found in cases in which a webshell is used to perform certain credential dumping or exfiltration activities on a compromised system
+description: |
+    Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system
 references:
     - https://youtu.be/7aemGhaE9ds?t=641
 author: Florian Roth (Nextron Systems)
 date: 2022/03/17
-modified: 2022/08/04
+modified: 2023/11/09
 tags:
     - attack.persistence
     - attack.t1505.003
@@ -20,11 +21,11 @@ detection:
    # Webserver
     selection_webserver_image:
         ParentImage|endswith:
-            - '\w3wp.exe'
-            - '\php-cgi.exe'
-            - '\nginx.exe'
-            - '\httpd.exe'
             - '\caddy.exe'
+            - '\httpd.exe'
+            - '\nginx.exe'
+            - '\php-cgi.exe'
+            - '\w3wp.exe'
             - '\ws_tomcatservice.exe'
     selection_webserver_characteristics_tomcat1:
         ParentImage|endswith:
@@ -80,20 +81,20 @@ detection:
     selection_child_6:
         # SUspicious patterns
         CommandLine|contains:
+            - ' -decode '  # Used with certutil
             - ' -NoP '  # Often used in malicious PowerShell commands
             - ' -W Hidden '  # Often used in malicious PowerShell commands
-            - ' -decode '  # Used with certutil
             - ' /decode '  # Used with certutil
-            - 'reg save '  # save registry SAM - syskey extraction
-            - '.downloadstring('  # PowerShell download command
-            - '.downloadfile('  # PowerShell download command
-            - 'FromBase64String' # PowerShell encoded payload
             - ' /ticket:'  # Rubeus
             - ' sekurlsa'  # Mimikatz
             - '.dmp full'  # Process dumping method apart from procdump
+            - '.downloadfile('  # PowerShell download command
+            - '.downloadstring('  # PowerShell download command
+            - 'FromBase64String' # PowerShell encoded payload
             - 'process call create' # WMIC process creation
+            - 'reg save '  # save registry SAM - syskey extraction
             - 'whoami /priv'
-    condition: 1 of selection_webserver* and 1 of selection_child*
+    condition: 1 of selection_webserver_* and 1 of selection_child_*
 falsepositives:
     - Unlikely
 level: high