HackTool - LocalPotato Execution

 1title: HackTool - LocalPotato Execution
 2id: 6bd75993-9888-4f91-9404-e1e4e4e34b77
 3status: test
 4description: Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples
 5references:
 6    - https://www.localpotato.com/localpotato_html/LocalPotato.html
 7    - https://github.com/decoder-it/LocalPotato
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2023-02-14
10tags:
11    - attack.defense-evasion
12    - attack.privilege-escalation
13    - cve.2023-21746
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_img:
19        Image|endswith: '\LocalPotato.exe'
20    selection_cli:
21        CommandLine|contains|all:
22            - '.exe -i C:\'
23            - '-o Windows\'
24    selection_hash_plain:
25        Hashes|contains:
26            - 'IMPHASH=E1742EE971D6549E8D4D81115F88F1FC'
27            - 'IMPHASH=DD82066EFBA94D7556EF582F247C8BB5'
28    selection_hash_ext:
29        Imphash:
30            - 'E1742EE971D6549E8D4D81115F88F1FC'
31            - 'DD82066EFBA94D7556EF582F247C8BB5'
32    condition: 1 of selection_*
33falsepositives:
34    - Unlikely
35level: high

References

• LocalPotato - When Swapping The Context Leads You To SYSTEM

  

  Here we are again with our new *potato flavor, the LocalPotato! This was a cool finding so we decided to create this dedicated website ;)

  
  Read More

• GitHub - decoder-it/LocalPotato

  

  Contribute to decoder-it/LocalPotato development by creating an account on GitHub.

  
  Read More

Related rules

• APT PRIVATELOG Image Load Pattern
• Abuse of Service Permissions to Hide Services Via Set-Service
• Abuse of Service Permissions to Hide Services Via Set-Service - PS
• Account Tampering - Suspicious Failed Logon Reasons
• Activity From Anonymous IP Address