sigmahighHunting

Local Privilege Escalation Indicator TabTip

Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode

MITRE ATT&CK

collectionexecutioncredential-access

Detection Query

selection:
  Provider_Name: Microsoft-Windows-DistributedCOM
  EventID: 10001
  param1: C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
  param2: 2147943140
  param3: "{054AAE20-4BEA-4347-8A35-64A533254A9D}"
condition: selection

Author

Florian Roth (Nextron Systems)

Created

2022-10-07

Data Sources

windowssystem

Platforms

windows

References

https://github.com/antonioCoco/JuicyPotatoNG

Tags

attack.collectionattack.executionattack.credential-accessattack.t1557.001

Raw Content

title: Local Privilege Escalation Indicator TabTip
id: bc2e25ed-b92b-4daa-b074-b502bdd1982b
status: test
description: Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode
references:
    - https://github.com/antonioCoco/JuicyPotatoNG
author: Florian Roth (Nextron Systems)
date: 2022-10-07
modified: 2023-04-14
tags:
    - attack.collection
    - attack.execution
    - attack.credential-access
    - attack.t1557.001
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Microsoft-Windows-DistributedCOM'
        EventID: 10001
        param1: 'C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe'  # Binary starting/started
        param2: 2147943140                                                       # ERROR id
        param3: '{054AAE20-4BEA-4347-8A35-64A533254A9D}'                         # DCOM Server
    condition: selection
falsepositives:
    - Unknown
level: high