Date: 10/03/2024
Severity: High
Summary
Identifies the creation of PowerShell script files with certain names or suffixes commonly used by FIN7.
Indicators of Compromise (IOC) List
TargetFilename | ':\Program Files\SysAidServer\tomcat\webapps\usersfiles\user.exe' ':\Program Files\SysAidServer\tomcat\webapps\usersfiles.war' ':\Program Files\SysAidServer\tomcat\webapps\leave' ':\Program Files\SysAidServer\tomcat\webapps\user.' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | (resourcename = "Windows Security" AND eventtype = "4663" ) AND processname In (":\\Program Files\\SysAidServer\\tomcat\\webapps\\usersfiles\\user.exe",":\\Program Files\\SysAidServer\\tomcat\\webapps\\usersfiles.war",":\\Program Files\\SysAidServer\\tomcat\\webapps\\leave",":\\Program Files\\SysAidServer\\tomcat\\webapps\\user.") |
Detection Query 2 : | technologygroup = "EDR" AND processname In (":\\Program Files\\SysAidServer\\tomcat\\webapps\\usersfiles\\user.exe",":\\Program Files\\SysAidServer\\tomcat\\webapps\\usersfiles.war",":\\Program Files\\SysAidServer\\tomcat\\webapps\\leave",":\\Program Files\\SysAidServer\\tomcat\\webapps\\user.") |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2023/TA/Lace-Tempest/file_event_win_apt_lace_tempest_indicators.yml