HackTool - LocalPotato Execution

Hunt Hypothesis

Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples

Detection Rule

Sigma (Original)

title: HackTool - LocalPotato Execution
id: 6bd75993-9888-4f91-9404-e1e4e4e34b77
status: test
description: Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples
references:
    - https://www.localpotato.com/localpotato_html/LocalPotato.html
    - https://github.com/decoder-it/LocalPotato
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-14
modified: 2024-11-23
tags:
    - attack.privilege-escalation
    - cve.2023-21746
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith: '\LocalPotato.exe'
    selection_cli:
        CommandLine|contains|all:
            - '.exe -i C:\'
            - '-o Windows\'
    selection_hash_plain:
        Hashes|contains:
            - 'IMPHASH=E1742EE971D6549E8D4D81115F88F1FC'
            - 'IMPHASH=DD82066EFBA94D7556EF582F247C8BB5'
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: high

KQL (Azure Sentinel)

imProcessCreate
| where TargetProcessName endswith "\\LocalPotato.exe" or (TargetProcessCommandLine contains ".exe -i C:\\" and TargetProcessCommandLine contains "-o Windows\\") or (TargetProcessIMPHASH startswith "E1742EE971D6549E8D4D81115F88F1FC" or TargetProcessIMPHASH startswith "DD82066EFBA94D7556EF582F247C8BB5")

Required Data Sources

False Positive Guidance

• Unlikely

MITRE ATT&CK Context

• Tactic: Privilege Escalation

References

• https://www.localpotato.com/localpotato_html/LocalPotato.html
• https://github.com/decoder-it/LocalPotato
• SigmaHQ Rule