Potential SMB Relay Attack Tool Execution
Detects different hacktools used for relay attacks on Windows for privilege escalation
Sigma rule (View on GitHub)
1title: Potential SMB Relay Attack Tool Execution
2id: 5589ab4f-a767-433c-961d-c91f3f704db1
3status: test
4description: Detects different hacktools used for relay attacks on Windows for privilege escalation
5references:
6 - https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/
7 - https://pentestlab.blog/2017/04/13/hot-potato/
8 - https://github.com/ohpe/juicy-potato
9 - https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes
10 - https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire
11 - https://www.localpotato.com/
12author: Florian Roth (Nextron Systems)
13date: 2021-07-24
14modified: 2023-02-14
15tags:
16 - attack.execution
17 - attack.credential-access
18 - attack.t1557.001
19logsource:
20 category: process_creation
21 product: windows
22detection:
23 selection_pe:
24 Image|contains:
25 - 'PetitPotam'
26 - 'RottenPotato'
27 - 'HotPotato'
28 - 'JuicyPotato'
29 - '\just_dce_'
30 - 'Juicy Potato'
31 - '\temp\rot.exe'
32 - '\Potato.exe'
33 - '\SpoolSample.exe'
34 - '\Responder.exe'
35 - '\smbrelayx'
36 - '\ntlmrelayx'
37 - '\LocalPotato'
38 selection_script:
39 CommandLine|contains:
40 - 'Invoke-Tater'
41 - ' smbrelay'
42 - ' ntlmrelay'
43 - 'cme smb '
44 - ' /ntlm:NTLMhash '
45 - 'Invoke-PetitPotam'
46 - '.exe -t * -p ' # JuicyPotatoNG pattern https://github.com/antonioCoco/JuicyPotatoNG
47 selection_juicypotato_enum: # appears when JuicyPotatoNG is used with -b
48 CommandLine|contains: '.exe -c "{'
49 CommandLine|endswith: '}" -z'
50 filter_hotpotatoes: # known goodware https://hotpot.uvic.ca/
51 Image|contains:
52 - 'HotPotatoes6'
53 - 'HotPotatoes7'
54 - 'HotPotatoes ' # Covers the following: 'HotPotatoes 6', 'HotPotatoes 7', 'HotPotatoes Help', 'HotPotatoes Tutorial'
55 condition: 1 of selection_* and not 1 of filter_*
56falsepositives:
57 - Legitimate files with these rare hacktool names
58level: critical
References
-
By @breenmachine This past Friday, myself and my partner in crime, Chris Mallz (@vvalien1) spoke at DerbyCon about a project we’ve been working on for the last few months. For those intereste…
Read More -
Hot potato is the code name of a Windows privilege escalation technique that was discovered by Stephen Breen. This technique is actually a combination of two known windows issues like NBNS spoofin…
Read More -
A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM. - GitHub - ohpe/juicy-potato: A suga...
Read More -
This is an experience from a real internal domain pentest. Customer name has obviously been removed. Goal here is going from network access only to domain admin (DA). This process takes about 30 mi...
Read More -
byt3bl33d3r has written some good guides on this attack. See NetNTLMv2 is microsoft's challenge and response protocol. When authenticating to a server the user's hash followed by the server's chall...
Read More -
Yes! we did it again, another local Windows privilege escalation using a new potato technique ;) LocalPotato @decoder_it & @splinter_code CVE-2023-21746
Read More
Related rules
- Local Privilege Escalation Indicator TabTip
- Potential PetitPotam Attack Via EFS RPC Calls
- HackTool - HandleKatz Duplicating LSASS Handle
- Potential Adplus.EXE Abuse
- AADInternals PowerShell Cmdlets Execution - ProccessCreation