Detects different hacktools used for relay attacks on Windows for privilege escalation
title: Potential SMB Relay Attack Tool Execution
id: 5589ab4f-a767-433c-961d-c91f3f704db1
status: test
description: Detects different hacktools used for relay attacks on Windows for privilege escalation
references:
- https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/
- https://pentestlab.blog/2017/04/13/hot-potato/
- https://github.com/ohpe/juicy-potato
- https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes
- https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire
- https://www.localpotato.com/
author: Florian Roth (Nextron Systems)
date: 2021-07-24
modified: 2023-02-14
tags:
- attack.collection
- attack.execution
- attack.credential-access
- attack.t1557.001
logsource:
category: process_creation
product: windows
detection:
selection_pe:
Image|contains:
- 'PetitPotam'
- 'RottenPotato'
- 'HotPotato'
- 'JuicyPotato'
- '\just_dce_'
- 'Juicy Potato'
- '\temp\rot.exe'
- '\Potato.exe'
- '\SpoolSample.exe'
- '\Responder.exe'
- '\smbrelayx'
- '\ntlmrelayx'
- '\LocalPotato'
selection_script:
CommandLine|contains:
- 'Invoke-Tater'
- ' smbrelay'
- ' ntlmrelay'
- 'cme smb '
- ' /ntlm:NTLMhash '
- 'Invoke-PetitPotam'
- '.exe -t * -p ' # JuicyPotatoNG pattern https://github.com/antonioCoco/JuicyPotatoNG
selection_juicypotato_enum: # appears when JuicyPotatoNG is used with -b
CommandLine|contains: '.exe -c "{'
CommandLine|endswith: '}" -z'
filter_hotpotatoes: # known goodware https://hotpot.uvic.ca/
Image|contains:
- 'HotPotatoes6'
- 'HotPotatoes7'
- 'HotPotatoes ' # Covers the following: 'HotPotatoes 6', 'HotPotatoes 7', 'HotPotatoes Help', 'HotPotatoes Tutorial'
condition: 1 of selection_* and not 1 of filter_*
falsepositives:
- Legitimate files with these rare hacktool names
level: critical
imProcessCreate
| where ((TargetProcessName contains "PetitPotam" or TargetProcessName contains "RottenPotato" or TargetProcessName contains "HotPotato" or TargetProcessName contains "JuicyPotato" or TargetProcessName contains "\\just_dce_" or TargetProcessName contains "Juicy Potato" or TargetProcessName contains "\\temp\\rot.exe" or TargetProcessName contains "\\Potato.exe" or TargetProcessName contains "\\SpoolSample.exe" or TargetProcessName contains "\\Responder.exe" or TargetProcessName contains "\\smbrelayx" or TargetProcessName contains "\\ntlmrelayx" or TargetProcessName contains "\\LocalPotato") or (TargetProcessCommandLine contains "Invoke-Tater" or TargetProcessCommandLine contains " smbrelay" or TargetProcessCommandLine contains " ntlmrelay" or TargetProcessCommandLine contains "cme smb " or TargetProcessCommandLine contains " /ntlm:NTLMhash " or TargetProcessCommandLine contains "Invoke-PetitPotam" or (TargetProcessCommandLine contains ".exe -t " and TargetProcessCommandLine contains " -p ")) or (TargetProcessCommandLine contains ".exe -c \"{" and TargetProcessCommandLine endswith "}\" -z")) and (not((TargetProcessName contains "HotPotatoes6" or TargetProcessName contains "HotPotatoes7" or TargetProcessName contains "HotPotatoes ")))| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |