Techniques
Sample rules
Potential SMB Relay Attack Tool Execution
- source: sigma
- technicques:
- t1557
- t1557.001
Description
Detects different hacktools used for relay attacks on Windows for privilege escalation
Detection logic
condition: 1 of selection_* and not 1 of filter_*
filter_hotpotatoes:
Image|contains:
- HotPotatoes6
- HotPotatoes7
- 'HotPotatoes '
selection_juicypotato_enum:
CommandLine|contains: .exe -c "{
CommandLine|endswith: '}" -z'
selection_pe:
Image|contains:
- PetitPotam
- RottenPotato
- HotPotato
- JuicyPotato
- \just_dce_
- Juicy Potato
- \temp\rot.exe
- \Potato.exe
- \SpoolSample.exe
- \Responder.exe
- \smbrelayx
- \ntlmrelayx
- \LocalPotato
selection_script:
CommandLine|contains:
- Invoke-Tater
- ' smbrelay'
- ' ntlmrelay'
- 'cme smb '
- ' /ntlm:NTLMhash '
- Invoke-PetitPotam
- '.exe -t * -p '