HackTool - CoercedPotato Execution

calendar Apr 15, 2024 · attack.defense_evasion attack.privilege_escalation attack.t1055  ·
Share on: linkedin copy

Detects the use of CoercedPotato, a tool for privilege escalation

Sigma rule (View on GitHub)

 1title: HackTool - CoercedPotato Execution
 2id: e8d34729-86a4-4140-adfd-0a29c2106307
 3status: experimental
 4description: Detects the use of CoercedPotato, a tool for privilege escalation
 5references:
 6    - https://github.com/hackvens/CoercedPotato
 7    - https://blog.hackvens.fr/articles/CoercedPotato.html
 8author: Florian Roth (Nextron Systems)
 9date: 2023/10/11
10modified: 2024/04/15
11tags:
12    - attack.defense_evasion
13    - attack.privilege_escalation
14    - attack.t1055
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_loader_img:
20        Image|endswith: '\CoercedPotato.exe'
21    selection_params:
22        CommandLine|contains: ' --exploitId '
23    selection_loader_imphash:
24        - Imphash:
25              - 'a75d7669db6b2e107a44c4057ff7f7d6'
26              - 'f91624350e2c678c5dcbe5e1f24e22c9'
27              - '14c81850a079a87e83d50ca41c709a15'
28        - Hashes|contains:
29              - 'IMPHASH=A75D7669DB6B2E107A44C4057FF7F7D6'
30              - 'IMPHASH=F91624350E2C678C5DCBE5E1F24E22C9'
31              - 'IMPHASH=14C81850A079A87E83D50CA41C709A15'
32    condition: 1 of selection_*
33falsepositives:
34    - Unknown
35level: high

References

  • GitHub - hackvens/CoercedPotato

    Contribute to hackvens/CoercedPotato development by creating an account on GitHub.


    Read More

  • Coerced Potato

    CoercedPotato - Une patate de plus ! 🥔 Table des matières 1. Introduction 2. Une histoire de privilèges 3. Les Access Token Windows 4. Parlons bien, parlons « Named Pipe » 5. Un peu de Coercition d...


    Read More

Related rules

to-top