HackTool - CoercedPotato Execution

    Tuesday, November 26, 2024 In: Threat Research Print

    Date: 11/26/2024

    Severity: High

    Summary

    Detects the use of CoercedPotato, a tool designed for privilege escalation.

    Indicators of Compromise (IOC) List

    Image : 

    '\CoercedPotato.exe'

    CommandLine : 

    ' --exploitId '

    Hashes : 

    'IMPHASH=A75D7669DB6B2E107A44C4057FF7F7D6'

'IMPHASH=F91624350E2C678C5DCBE5E1F24E22C9'

'IMPHASH=14C81850A079A87E83D50CA41C709A15'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1: 

    (resourcename = "Windows Security"  AND eventtype = "4688"  ) AND ((processname like "CoercedPotato.exe" OR newprocessname like "CoercedPotato.exe" ) OR commandline like "--exploitId")

    Detection Query 2:

    (technologygroup = "EDR" ) AND ((processname like "CoercedPotato.exe" OR newprocessname like "CoercedPotato.exe" ) OR commandline like "--exploitId")

    Detection Query 3:

    md5hash IN ("A75D7669DB6B2E107A44C4057FF7F7D6","F91624350E2C678C5DCBE5E1F24E22C9","14C81850A079A87E83D50CA41C709A15")

    Reference:   

    https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_coercedpotato.yml 

     


    Tags

    MalwareSigmaCoercedPotatoHackTool

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.