Merge pull request #3567 from SigmaHQ/rule-devel

rule: JuicyPotatoNG brute force indicator
2022-10-07 11:36:26 +02:00
parent b634e1a3f9 d36e0dffeb
commit 5710507a2a
1 changed files with 24 additions and 0 deletions
@@ -0,0 +1,24 @@
+title: Local Privilege Escalation Indicator TabTip
+status: experimental
+id: bc2e25ed-b92b-4daa-b074-b502bdd1982b
+description: Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode
+author: Florian Roth
+date: 2022/10/07
+references:
+    - https://github.com/antonioCoco/JuicyPotatoNG
+tags:
+    - attack.execution
+    - attack.t1557.001
+logsource:
+    product: windows
+    service: system
+detection:
+    selection:
+        EventID: 10001
+        param1: 'C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe'  # is the Binary starting/started
+        param2: '2147943140'                                                     # is ERROR id
+        param3: '{054AAE20-4BEA-4347-8A35-64A533254A9D}'                         # is DCOM Server
+    condition: selection
+falsepositives:
+    - Unknown
+level: high