CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
f71d5848fee4ffb52c83f10fbf204b3aa5e2bb1b
hayabusa/rules/Sigma/win_tools_relay_attacks.yml
Tanaka Zakku 50aebce32e Added Sigma Rules
2021-11-14 11:00:56 +09:00

71 lines
2.3 KiB
YAML
Raw Blame History

title: SMB Relay Attack Tools
author: Florian Roth
date: 2021/07/24
description: Detects different hacktools used for relay attacks on Windows for privilege
escalation
detection:
SELECTION_1:
EventID: 1
SELECTION_10:
Image: '*\SpoolSample.exe*'
SELECTION_11:
Image: '*\Responder.exe*'
SELECTION_12:
Image: '*\smbrelayx*'
SELECTION_13:
Image: '*\ntlmrelayx*'
SELECTION_14:
CommandLine: '*Invoke-Tater*'
SELECTION_15:
CommandLine: '* smbrelay*'
SELECTION_16:
CommandLine: '* ntlmrelay*'
SELECTION_17:
CommandLine: '*cme smb *'
SELECTION_18:
CommandLine: '* /ntlm:NTLMhash *'
SELECTION_19:
CommandLine: '*Invoke-PetitPotam*'
SELECTION_2:
Image: '*PetitPotam*'
SELECTION_3:
Image: '*RottenPotato*'
SELECTION_4:
Image: '*HotPotato*'
SELECTION_5:
Image: '*JuicyPotato*'
SELECTION_6:
Image: '*\just_dce_*'
SELECTION_7:
Image: '*Juicy Potato*'
SELECTION_8:
Image: '*\temp\rot.exe*'
SELECTION_9:
Image: '*\Potato.exe*'
condition: (SELECTION_1 and ((SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
or SELECTION_11 or SELECTION_12 or SELECTION_13) or (SELECTION_14 or SELECTION_15
or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19)))
falsepositives:
- Legitimate files with these rare hacktool names
id: 5589ab4f-a767-433c-961d-c91f3f704db1
level: critical
logsource:
category: process_creation
product: windows
modified: 2021/07/26
references:
- https://attack.mitre.org/techniques/T1557/001/
- https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/
- https://pentestlab.blog/2017/04/13/hot-potato/
- https://github.com/ohpe/juicy-potato
- https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes
- https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire
status: experimental
tags:
- attack.execution
- attack.t1557.001
yml_filename: win_tools_relay_attacks.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
Reference in New Issue View Git Blame Copy Permalink