Detectionhightest
HackTool - LocalPotato Execution
Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Tue Feb 14Updated Sat Nov 236bd75993-9888-4f91-9404-e1e4e4e34b77windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic3 selectors
detection:
selection_img:
Image|endswith: '\LocalPotato.exe'
selection_cli:
CommandLine|contains|all:
- '.exe -i C:\'
- '-o Windows\'
selection_hash_plain:
Hashes|contains:
- 'IMPHASH=E1742EE971D6549E8D4D81115F88F1FC'
- 'IMPHASH=DD82066EFBA94D7556EF582F247C8BB5'
condition: 1 of selection_*False Positives
Unlikely
False positives are unlikely for most environments. High confidence detection.
MITRE ATT&CK
Other
cve.2023-21746
Rule Metadata
Rule ID
6bd75993-9888-4f91-9404-e1e4e4e34b77
Status
test
Level
high
Type
Detection
Created
Tue Feb 14
Modified
Sat Nov 23
Path
rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml
Raw Tags
attack.defense-evasionattack.privilege-escalationcve.2023-21746