HackTool - LocalPotato Execution
Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples
Sigma rule (View on GitHub)
1title: HackTool - LocalPotato Execution
2id: 6bd75993-9888-4f91-9404-e1e4e4e34b77
3status: test
4description: Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples
5references:
6 - https://www.localpotato.com/localpotato_html/LocalPotato.html
7 - https://github.com/decoder-it/LocalPotato
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2023/02/14
10tags:
11 - attack.defense_evasion
12 - attack.privilege_escalation
13 - cve.2023.21746
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_img:
19 Image|endswith: '\LocalPotato.exe'
20 selection_cli:
21 CommandLine|contains|all:
22 - '.exe -i C:\'
23 - '-o Windows\'
24 selection_hash_plain:
25 Hashes|contains:
26 - 'IMPHASH=E1742EE971D6549E8D4D81115F88F1FC'
27 - 'IMPHASH=DD82066EFBA94D7556EF582F247C8BB5'
28 selection_hash_ext:
29 Imphash:
30 - 'E1742EE971D6549E8D4D81115F88F1FC'
31 - 'DD82066EFBA94D7556EF582F247C8BB5'
32 condition: 1 of selection_*
33falsepositives:
34 - Unlikely
35level: high
References
-
Here we are again with our new *potato flavor, the LocalPotato! This was a cool finding so we decided to create this dedicated website ;)
Read More -
Related rules
- HackTool - Impersonate Execution
- HackTool - SharpImpersonation Execution
- PUA - AdvancedRun Execution
- PUA - AdvancedRun Suspicious Execution
- Potential PrintNightmare Exploitation Attempt