Potential SMB Relay Attack Tool Execution
Detects different hacktools used for relay attacks on Windows for privilege escalation
Sigma rule (View on GitHub)
1title: Potential SMB Relay Attack Tool Execution
2id: 5589ab4f-a767-433c-961d-c91f3f704db1
3status: test
4description: Detects different hacktools used for relay attacks on Windows for privilege escalation
5references:
6 - https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/
7 - https://pentestlab.blog/2017/04/13/hot-potato/
8 - https://github.com/ohpe/juicy-potato
9 - https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes
10 - https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire
11 - https://www.localpotato.com/
12author: Florian Roth (Nextron Systems)
13date: 2021-07-24
14modified: 2023-02-14
15tags:
16 - attack.collection
17 - attack.execution
18 - attack.credential-access
19 - attack.t1557.001
20logsource:
21 category: process_creation
22 product: windows
23detection:
24 selection_pe:
25 Image|contains:
26 - 'PetitPotam'
27 - 'RottenPotato'
28 - 'HotPotato'
29 - 'JuicyPotato'
30 - '\just_dce_'
31 - 'Juicy Potato'
32 - '\temp\rot.exe'
33 - '\Potato.exe'
34 - '\SpoolSample.exe'
35 - '\Responder.exe'
36 - '\smbrelayx'
37 - '\ntlmrelayx'
38 - '\LocalPotato'
39 selection_script:
40 CommandLine|contains:
41 - 'Invoke-Tater'
42 - ' smbrelay'
43 - ' ntlmrelay'
44 - 'cme smb '
45 - ' /ntlm:NTLMhash '
46 - 'Invoke-PetitPotam'
47 - '.exe -t * -p ' # JuicyPotatoNG pattern https://github.com/antonioCoco/JuicyPotatoNG
48 selection_juicypotato_enum: # appears when JuicyPotatoNG is used with -b
49 CommandLine|contains: '.exe -c "{'
50 CommandLine|endswith: '}" -z'
51 filter_hotpotatoes: # known goodware https://hotpot.uvic.ca/
52 Image|contains:
53 - 'HotPotatoes6'
54 - 'HotPotatoes7'
55 - 'HotPotatoes ' # Covers the following: 'HotPotatoes 6', 'HotPotatoes 7', 'HotPotatoes Help', 'HotPotatoes Tutorial'
56 condition: 1 of selection_* and not 1 of filter_*
57falsepositives:
58 - Legitimate files with these rare hacktool names
59level: critical
References
-
By @breenmachine This past Friday, myself and my partner in crime, Chris Mallz (@vvalien1) spoke at DerbyCon about a project we’ve been working on for the last few months. For those intereste…
Read More -
Hot potato is the code name of a Windows privilege escalation technique that was discovered by Stephen Breen. This technique is actually a combination of two known windows issues like NBNS spoofin…
Read More -
A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM. - GitHub - ohpe/juicy-potato: A suga...
Read More -
This is an experience from a real internal domain pentest. Customer name has obviously been removed. Goal here is going from network access only to domain admin (DA). This process takes about 30 mi...
Read More -
byt3bl33d3r has written some good guides on this attack. See b3t3bl33d3r's guide NetNTLMv2 is microsoft's challenge and response protocol. When authenticating to a server the user's hash followed b...
Read More -
Yes! we did it again, another local Windows privilege escalation using a new potato technique ;) LocalPotato @decoder_it & @splinter_code CVE-2023-21746
Read More
Related rules
- HackTool - Impacket Tools Execution
- Local Privilege Escalation Indicator TabTip
- Attempts of Kerberos Coercion Via DNS SPN Spoofing
- HackTool - ADCSPwn Execution
- ISATAP Router Address Was Set