← Back to Explore
sigmahighHunting
HackTool - LocalPotato Execution
Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples
Detection Query
selection_img:
Image|endswith: \LocalPotato.exe
selection_cli:
CommandLine|contains|all:
- .exe -i C:\
- -o Windows\
selection_hash_plain:
Hashes|contains:
- IMPHASH=E1742EE971D6549E8D4D81115F88F1FC
- IMPHASH=DD82066EFBA94D7556EF582F247C8BB5
condition: 1 of selection_*
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2023-02-14
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.defense-evasionattack.privilege-escalationcve.2023-21746
Raw Content
title: HackTool - LocalPotato Execution
id: 6bd75993-9888-4f91-9404-e1e4e4e34b77
status: test
description: Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples
references:
- https://www.localpotato.com/localpotato_html/LocalPotato.html
- https://github.com/decoder-it/LocalPotato
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-14
modified: 2024-11-23
tags:
- attack.defense-evasion
- attack.privilege-escalation
- cve.2023-21746
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith: '\LocalPotato.exe'
selection_cli:
CommandLine|contains|all:
- '.exe -i C:\'
- '-o Windows\'
selection_hash_plain:
Hashes|contains:
- 'IMPHASH=E1742EE971D6549E8D4D81115F88F1FC'
- 'IMPHASH=DD82066EFBA94D7556EF582F247C8BB5'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high