Lace Tempest PowerShell Evidence Eraser

About the rule

Rule Type

Standard

Rule Description

Lace Tempest is an APT group known for using a PowerShell Evidence Eraser targeting SysAid software. By exploiting CVE-2023-47246, a vulnerability in SysAid on-premises, the threat group executes a PowerShell script that erases forensic evidence on the victim’s server following an attack. This rule detects the execution of such PowerShell scripts associated with Lace Tempest’s Evidence Eraser.

Severity

Trouble

Rule journey

Attack chain scenario

Initial access → Exploit Public-Facing Application → Execution → PowerShell script execution → Defense evasion → Indicator Removal

Impact

• Exploitation of vulnerabilities
• Malware execution
• Forensic evidence manipulation
• Data destruction

Rule Requirement

Prerequisites

Logon to Group Policy Management Console with administrative privileges and enable Module Logging for Windows PowerShell in the Group Policy Management Editor. Ensure to enter * in the Module Names window to record all modules. Similarly enable PowerShell Script Block Logging for Windows PowerShell. Finally, create a new registry key "Microsoft-Windows-Powershell/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\".

(((( SCRIPTEXECUTED CONTAINS ""cleanll"" ) AND( SCRIPTEXECUTED CONTAINS ""usersfiles.war"" ) AND( SCRIPTEXECUTED CONTAINS ""remove-item -path \""$tomcat_dir"" ) AND( SCRIPTEXECUTED CONTAINS ""sysaidserver"" ) AND( SCRIPTEXECUTED CONTAINS ""sleep"" ) AND( SCRIPTEXECUTED CONTAINS ""while(1)"" ) )))

This rule is triggered when the executed script contains the following suspicious elements:

• cleanll: A command used for file cleanup.
• usersfiles.war: A Web Application Archive file which can be used for deploying malicious web applications.
• remove-item -path "$tomcat_dir": A PowerShell command used to delete files or folders from the Tomcat directory.
• sysaidserver: Refers to the targeted SysAid server or service.
• sleep: A command to pause execution that can be used to evade detection.
• while(1): A function used to keep a process running.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Execution: Command and Scripting Interpreter - PowerShell (T1059.001)

Security Standards

Enabling this rule will help you meet the security standard's requirement listed below:

DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events.

When this rule is triggered, you're notified of a PowerShell script execution involving Lace Tempest's Evidence Eraser. This enables you to monitor runtime environments like PowerShell, detect attempts to exploit CVE-2023-47246, and identify the execution of Evidence Eraser scripts.

Author

Nasreddine Bencherchali (Nextron Systems)

Future actions

Known False Positives

This rule might be triggered when admins execute automated PowerShell scripts for legitimate software upgrades and patch updates.

Next Steps

When this rule is triggered, the following measures can be implemented:

1. Identification: Identify if the flagged event is a new incident or part of an existing incident.
2. Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
3. Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
4. Audit PowerShell activities: Continuously monitor PowerShell executions, restrict script execution privileges to administrators only, and disable PowerShell on devices where it is not required.

Mitigation