Lace Tempest File Indicators
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects PowerShell script file creation with specific names or suffixes which was seen being used often in PowerShell scripts by FIN7
Severity
Trouble
Rule Requirement
Criteria
Action1: actionname = "File Created or Modified" AND (FILENAME endswith ":\Program Files\SysAidServer\tomcat\webapps\usersfiles\user.exe,:\Program Files\SysAidServer\tomcat\webapps\usersfiles.war,:\Program Files\SysAidServer\tomcat\webapps\leave" OR OBJECTNAME endswith ":\Program Files\SysAidServer\tomcat\webapps\usersfiles\user.exe,:\Program Files\SysAidServer\tomcat\webapps\usersfiles.war,:\Program Files\SysAidServer\tomcat\webapps\leave") OR (FILENAME contains ":\Program Files\SysAidServer\tomcat\webapps\user." OR OBJECTNAME contains ":\Program Files\SysAidServer\tomcat\webapps\user.") select Action1.HOSTNAME,Action1.MESSAGE,Action1.USERNAME,Action1.DOMAIN,Action1.OBJECTNAME,Action1.FILENAME,Action1.PROCESSNAME
Detection
Execution Mode
realtime
Log Sources
Windows
Author
Nasreddine Bencherchali (Nextron Systems)
