HackTool - LocalPotato Execution

Nov 25, 2024 · attack.defense-evasion attack.privilege-escalation cve.2023-21746 ·

Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples

Sigma rule (View on GitHub)

 1title: HackTool - LocalPotato Execution
 2id: 6bd75993-9888-4f91-9404-e1e4e4e34b77
 3status: test
 4description: Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples
 5references:
 6    - https://www.localpotato.com/localpotato_html/LocalPotato.html
 7    - https://github.com/decoder-it/LocalPotato
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2023-02-14
10modified: 2024-11-23
11tags:
12    - attack.defense-evasion
13    - attack.privilege-escalation
14    - cve.2023-21746
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_img:
20        Image|endswith: '\LocalPotato.exe'
21    selection_cli:
22        CommandLine|contains|all:
23            - '.exe -i C:\'
24            - '-o Windows\'
25    selection_hash_plain:
26        Hashes|contains:
27            - 'IMPHASH=E1742EE971D6549E8D4D81115F88F1FC'
28            - 'IMPHASH=DD82066EFBA94D7556EF582F247C8BB5'
29    condition: 1 of selection_*
30falsepositives:
31    - Unlikely
32level: high

References

LocalPotato - When Swapping The Context Leads You To SYSTEM

Here we are again with our new *potato flavor, the LocalPotato! This was a cool finding so we decided to create this dedicated website ;)

Read More
GitHub - decoder-it/LocalPotato

Contribute to decoder-it/LocalPotato development by creating an account on GitHub.

Read More

HackTool - LocalPotato Execution

Sigma rule (View on GitHub)

References

LocalPotato - When Swapping The Context Leads You To SYSTEM

GitHub - decoder-it/LocalPotato

Related rules