HackTool - CoercedPotato Execution
Detects the use of CoercedPotato, a tool for privilege escalation
Sigma rule (View on GitHub)
1title: HackTool - CoercedPotato Execution
2id: e8d34729-86a4-4140-adfd-0a29c2106307
3status: experimental
4description: Detects the use of CoercedPotato, a tool for privilege escalation
5references:
6 - https://github.com/hackvens/CoercedPotato
7 - https://blog.hackvens.fr/articles/CoercedPotato.html
8author: Florian Roth (Nextron Systems)
9date: 2023-10-11
10modified: 2024-04-15
11tags:
12 - attack.defense-evasion
13 - attack.privilege-escalation
14 - attack.t1055
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_loader_img:
20 Image|endswith: '\CoercedPotato.exe'
21 selection_params:
22 CommandLine|contains: ' --exploitId '
23 selection_loader_imphash:
24 - Imphash:
25 - 'a75d7669db6b2e107a44c4057ff7f7d6'
26 - 'f91624350e2c678c5dcbe5e1f24e22c9'
27 - '14c81850a079a87e83d50ca41c709a15'
28 - Hashes|contains:
29 - 'IMPHASH=A75D7669DB6B2E107A44C4057FF7F7D6'
30 - 'IMPHASH=F91624350E2C678C5DCBE5E1F24E22C9'
31 - 'IMPHASH=14C81850A079A87E83D50CA41C709A15'
32 condition: 1 of selection_*
33falsepositives:
34 - Unknown
35level: high
References
Related rules
- APT PRIVATELOG Image Load Pattern
- CobaltStrike Named Pipe
- CobaltStrike Named Pipe Pattern Regex
- CobaltStrike Named Pipe Patterns
- HackTool - EfsPotato Named Pipe Creation