Detects artifacts associated with post exploitation activity of LaceTempest related to the SysAid 0day.
There are several sub artifact scopes, with configurable regex parameters to target.
name: Windows.Detection.SysAid
author: Matt Green - @mgreen27
description: |
Detects artifacts associated with post exploitation activity of
LaceTempest related to the SysAid 0day.
There are several sub artifact scopes, with configurable regex parameters to
target.
- Yara.Process: Targets observed malware and cobalt strike via process yara
- Disk.Ntfs: targets known disk IOCs via Windows.ntfs.mft
- Forensic.Usn: targets known disk IOCs via USN journal
- Evtx.Defender: Searches Defender event logs for evidence of associated alerts
- Evtx.NetworkIOC: targets known strings of network IOCs in Firewall, Sysmon logs.
- Evtx.PowershellIOC: targets known strings of powershell IOCs in Powershell logs.
type: CLIENT
resources:
timeout: 1800
parameters:
- name: FileNameRegex
description: FileName disk IOC regex
type: regex
default: ^(usersfiles\.war|user\.exe|leave)$
- name: PathRegex
description: Path disk IOC regex
type: regex
default: \\Program Files\\SysAidServer\\tomcat\\webapps\\
- name: AllDrives
type: bool
description: target all drives.
- name: DefenderDetection
description: Regex of Defender strings to hunt in Defender evtx
type: regex
default: Win32/Clop|Win32/TurtleLoader
- name: NetworkIoc
description: Regex of network IOCs to hunt evtx
default: 81\.19\.138\.52|45\.182\.189\.100|179\.60\.150\.34|45\.155\.37\.105
- name: PowershellIoc
description: Regex of Powershell string IOCs to hunt evtx
default: STOP-PROCs FOUND\! Exiting|userentry\|getLogo\\\.jsp\|Go|179\.60\.150\.34
- name: UploadYaraHits
type: bool
- name: YaraRule
type: yara
default: |
rule Windows_Trojan_HazelCobra_6a9fe48a {
meta:
author = "Elastic Security"
id = "6a9fe48a-6fd9-4bce-ac43-254c02d6b3a4"
fingerprint = "4dc883be5fb6aae0dac0ec5d64baf24f0f3aaded6d759ec7dccb1a2ae641ae7b"
creation_date = "2023-11-01"
last_modified = "2023-11-01"
threat_name = "Windows.Trojan.HazelCobra"
reference_sample = "b5acf14cdac40be590318dee95425d0746e85b1b7b1cbd14da66f21f2522bf4d"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "windows"
strings:
$a1 = { 83 E9 37 48 63 C2 F6 C2 01 75 0C C0 E1 04 48 D1 F8 88 4C 04 40 EB 07 }
$s1 = "Data file loaded. Running..." fullword
$s2 = "No key in args" fullword
$s3 = "Can't read data file" fullword
condition:
$a1 or all of ($s*)
}
rule Windows_Trojan_FlawedGrace_8c5eb04b {
meta:
author = "Elastic Security"
id = "8c5eb04b-301b-4d05-a010-3329e5b764c6"
fingerprint = "46ce025974792cdefe9d4f4493cee477c0eaf641564cd44becd687c27d9e7c30"
creation_date = "2023-11-01"
last_modified = "2023-11-02"
threat_name = "Windows.Trojan.FlawedGrace"
reference_sample = "966112f3143d751a95c000a990709572ac8b49b23c0e57b2691955d6fda1016e"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "windows"
strings:
$a1 = "Grace finalized, no more library calls allowed." ascii fullword
$a2 = ".?AVReadThread@TunnelIO@NS@@" ascii fullword
$a3 = ".?AVTunnelClientDirectIO@NS@@" ascii fullword
$a4 = ".?AVWireClientConnectionThread@NS@@" ascii fullword
$a5 = ".?AVWireParam@NS@@" ascii fullword
condition:
3 of them
}
rule win_cobalt_strike_auto {
meta:
author = "Felix Bilstein - yara-signator at cocacoding dot com"
date = "2023-07-11"
description = "Detects win.cobalt_strike."
malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike"
malpedia_license = "CC BY-SA 4.0"
malpedia_sharing = "TLP:WHITE"
strings:
$sequence_0 = { e9???????? eb0a b801000000 e9???????? }
$sequence_1 = { 3bc7 750d ff15???????? 3d33270000 }
$sequence_2 = { ff15???????? 03c6 59 8bf0 }
$sequence_3 = { ff05???????? 891e 8937 894f08 894604 c7470408000000 5b }
$sequence_4 = { ff15???????? 03f8 03f0 83f8ff 740b 3b750c 7ce0 }
$sequence_5 = { eb0b 8b45d4 83c010 8945d4 eb84 e9???????? 837d0c18 }
$sequence_6 = { ff13 83c40c 3bc7 7545 }
$sequence_7 = { eb0c 890d???????? e8???????? 59 5f 5e 5d }
$sequence_8 = { 85c0 741d ff15???????? 85c0 7513 }
$sequence_9 = { e8???????? e9???????? 833d????????01 7505 e8???????? }
$sequence_10 = { 8bd0 e8???????? 85c0 7e0e }
$sequence_11 = { 85c0 7405 e8???????? 8b0d???????? 85c9 }
$sequence_12 = { e8???????? 488d4c2420 41b800200000 488bd3 e8???????? 4533c0 488bd3 }
$sequence_13 = { c1e810 25ff000000 b901000000 486bc901 488b542448 88040a 8b0424 }
$sequence_14 = { 83f835 741d ff15???????? 413bc6 7312 b9e8030000 ff15???????? }
$sequence_15 = { 7514 488b4f20 ff15???????? 488b4f20 ff15???????? 488b7f30 4885ff }
condition:
7 of them
}
reference:
- https://profero.io/posts/sysaidonpremvulnerability/
- https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
precondition: SELECT OS From info() where OS = 'windows'
sources:
- name: Yara.Process
query: |
SELECT * FROM Artifact.Windows.Detection.Yara.Process(
YaraRule=YaraRule,
UploadHits=UploadYaraHits )
- name: Disk.Ntfs
query: |
SELECT * FROM Artifact.Windows.NTFS.MFT( AllDrives=AllDrives,
FileRegex=FileNameRegex,
PathRegex=PathRegex )
- name: Forensic.Usn
query: |
SELECT * FROM Artifact.Windows.Forensics.Usn( AllDrives=AllDrives,
FileNameRegex=FileNameRegex,
PathRegex=PathRegex )
- name: Evtx.Defender
query: |
SELECT * FROM Artifact.Windows.EventLogs.EvtxHunter(
EvtxGlob='%SystemRoot%\\System32\\Winevt\\Logs\\*Defender*.evtx',
IocRegex= DefenderDetection )
- name: Evtx.NetworkIOC
query: |
SELECT * FROM Artifact.Windows.EventLogs.EvtxHunter(
EvtxGlob='%SystemRoot%\\System32\\Winevt\\Logs\\*{Firewall,Sysmon}*.evtx',
IocRegex= NetworkIoc )
- name: Evtx.Powershell
query: |
SELECT * FROM Artifact.Windows.EventLogs.EvtxHunter(
EvtxGlob='%SystemRoot%\\System32\\Winevt\\Logs\\*Powershell*.evtx',
IocRegex= PowershellIoc )
column_types:
- name: HitContext
type: preview_upload