Local Privilege Escalation Indicator TabTip
Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode
Sigma rule (View on GitHub)
1title: Local Privilege Escalation Indicator TabTip
2id: bc2e25ed-b92b-4daa-b074-b502bdd1982b
3status: test
4description: Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode
5references:
6 - https://github.com/antonioCoco/JuicyPotatoNG
7author: Florian Roth (Nextron Systems)
8date: 2022-10-07
9modified: 2023-04-14
10tags:
11 - attack.execution
12 - attack.t1557.001
13logsource:
14 product: windows
15 service: system
16detection:
17 selection:
18 Provider_Name: 'Microsoft-Windows-DistributedCOM'
19 EventID: 10001
20 param1: 'C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe' # Binary starting/started
21 param2: 2147943140 # ERROR id
22 param3: '{054AAE20-4BEA-4347-8A35-64A533254A9D}' # DCOM Server
23 condition: selection
24falsepositives:
25 - Unknown
26level: high
References
Related rules
- HackTool - Impacket Tools Execution
- Potential SMB Relay Attack Tool Execution
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- AMSI Bypass Pattern Assembly GetType