Local Privilege Escalation Indicator TabTip
Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode
Sigma rule (View on GitHub)
1title: Local Privilege Escalation Indicator TabTip
2id: bc2e25ed-b92b-4daa-b074-b502bdd1982b
3status: test
4description: Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode
5references:
6 - https://github.com/antonioCoco/JuicyPotatoNG
7author: Florian Roth (Nextron Systems)
8date: 2022-10-07
9modified: 2023-04-14
10tags:
11 - attack.collection
12 - attack.execution
13 - attack.credential-access
14 - attack.t1557.001
15logsource:
16 product: windows
17 service: system
18detection:
19 selection:
20 Provider_Name: 'Microsoft-Windows-DistributedCOM'
21 EventID: 10001
22 param1: 'C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe' # Binary starting/started
23 param2: 2147943140 # ERROR id
24 param3: '{054AAE20-4BEA-4347-8A35-64A533254A9D}' # DCOM Server
25 condition: selection
26falsepositives:
27 - Unknown
28level: high
References
-
Another Windows Local Privilege Escalation from Service Account to System - GitHub - antonioCoco/JuicyPotatoNG: Another Windows Local Privilege Escalation from Service Account to System
Read More
Related rules
- HackTool - Impacket Tools Execution
- Potential SMB Relay Attack Tool Execution
- Attempts of Kerberos Coercion Via DNS SPN Spoofing
- HackTool - ADCSPwn Execution
- ISATAP Router Address Was Set