Potential SMB Relay Attack Tool Execution
Detects different hacktools used for relay attacks on Windows for privilege escalation
Sigma rule (View on GitHub)
1title: Potential SMB Relay Attack Tool Execution
2id: 5589ab4f-a767-433c-961d-c91f3f704db1
3status: test
4description: Detects different hacktools used for relay attacks on Windows for privilege escalation
5references:
6 - https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/
7 - https://pentestlab.blog/2017/04/13/hot-potato/
8 - https://github.com/ohpe/juicy-potato
9 - https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes
10 - https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire
11 - https://www.localpotato.com/
12author: Florian Roth (Nextron Systems)
13date: 2021-07-24
14modified: 2023-02-14
15tags:
16 - attack.execution
17 - attack.t1557.001
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection_pe:
23 Image|contains:
24 - 'PetitPotam'
25 - 'RottenPotato'
26 - 'HotPotato'
27 - 'JuicyPotato'
28 - '\just_dce_'
29 - 'Juicy Potato'
30 - '\temp\rot.exe'
31 - '\Potato.exe'
32 - '\SpoolSample.exe'
33 - '\Responder.exe'
34 - '\smbrelayx'
35 - '\ntlmrelayx'
36 - '\LocalPotato'
37 selection_script:
38 CommandLine|contains:
39 - 'Invoke-Tater'
40 - ' smbrelay'
41 - ' ntlmrelay'
42 - 'cme smb '
43 - ' /ntlm:NTLMhash '
44 - 'Invoke-PetitPotam'
45 - '.exe -t * -p ' # JuicyPotatoNG pattern https://github.com/antonioCoco/JuicyPotatoNG
46 selection_juicypotato_enum: # appears when JuicyPotatoNG is used with -b
47 CommandLine|contains: '.exe -c "{'
48 CommandLine|endswith: '}" -z'
49 filter_hotpotatoes: # known goodware https://hotpot.uvic.ca/
50 Image|contains:
51 - 'HotPotatoes6'
52 - 'HotPotatoes7'
53 - 'HotPotatoes ' # Covers the following: 'HotPotatoes 6', 'HotPotatoes 7', 'HotPotatoes Help', 'HotPotatoes Tutorial'
54 condition: 1 of selection_* and not 1 of filter_*
55falsepositives:
56 - Legitimate files with these rare hacktool names
57level: critical
References
-
By @breenmachine This past Friday, myself and my partner in crime, Chris Mallz (@vvalien1) spoke at DerbyCon about a project we’ve been working on for the last few months. For those intereste…
Read More -
Hot potato is the code name of a Windows privilege escalation technique that was discovered by Stephen Breen. This technique is actually a combination of two known windows issues like NBNS spoofin…
Read More -
A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM. - GitHub - ohpe/juicy-potato: A suga...
Read More -
This is an experience from a real internal domain pentest. Customer name has obviously been removed. Goal here is going from network access only to domain admin (DA). This process takes about 30 mi...
Read More -
byt3bl33d3r has written some good guides on this attack. See b3t3bl33d3r's guide NetNTLMv2 is microsoft's challenge and response protocol. When authenticating to a server the user's hash followed b...
Read More -
Yes! we did it again, another local Windows privilege escalation using a new potato technique ;) LocalPotato @decoder_it & @splinter_code CVE-2023-21746
Read More
Related rules
- HackTool - Impacket Tools Execution
- Local Privilege Escalation Indicator TabTip
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- AMSI Bypass Pattern Assembly GetType