From c073388472b6385205b31a0f556ecff43c286e5a Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Fri, 7 Oct 2022 10:41:04 +0200
Subject: [PATCH 1/4] rule: lpe - tabtip indicator

---
 .../proc_creation_win_lpe_indicators.yml      | 23 +++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 rules/windows/process_creation/proc_creation_win_lpe_indicators.yml

diff --git a/rules/windows/process_creation/proc_creation_win_lpe_indicators.yml b/rules/windows/process_creation/proc_creation_win_lpe_indicators.yml
new file mode 100644
index 000000000..142d5c90d
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_lpe_indicators.yml
@@ -0,0 +1,23 @@
+title: Local Privilege Escalation Indicator TabTip
+status: experimental
+id: bc2e25ed-b92b-4daa-b074-b502bdd1982b
+description: Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode
+author: Florian Roth
+date: 2022/10/07
+references:
+    - https://github.com/antonioCoco/JuicyPotatoNG
+tags:
+    - attack.execution
+    - attack.t1557.001
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    keywords:
+        - '{054AAE20-4BEA-4347-8A35-64A533254A9D}'
+        - '2147943140'
+        - 'C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe'
+    condition: all of keywords
+falsepositives:
+    - Unknown
+level: high

From 6623778a61207fc20ace8aaab94e91c12377f533 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Fri, 7 Oct 2022 10:44:35 +0200
Subject: [PATCH 2/4] fix: wrong log source

---
 .../system/win_lpe_indicators_tabtip.yml}                       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename rules/windows/{process_creation/proc_creation_win_lpe_indicators.yml => builtin/system/win_lpe_indicators_tabtip.yml} (95%)

diff --git a/rules/windows/process_creation/proc_creation_win_lpe_indicators.yml b/rules/windows/builtin/system/win_lpe_indicators_tabtip.yml
similarity index 95%
rename from rules/windows/process_creation/proc_creation_win_lpe_indicators.yml
rename to rules/windows/builtin/system/win_lpe_indicators_tabtip.yml
index 142d5c90d..391ed94ef 100644
--- a/rules/windows/process_creation/proc_creation_win_lpe_indicators.yml
+++ b/rules/windows/builtin/system/win_lpe_indicators_tabtip.yml
@@ -10,8 +10,8 @@ tags:
     - attack.execution
     - attack.t1557.001
 logsource:
-    category: process_creation
     product: windows
+    service: system
 detection:
     keywords:
         - '{054AAE20-4BEA-4347-8A35-64A533254A9D}'

From d76bdf71df6fe2f85a978384f094283b571f188e Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Fri, 7 Oct 2022 10:48:52 +0200
Subject: [PATCH 3/4] Update win_lpe_indicators_tabtip.yml

---
 .../builtin/system/win_lpe_indicators_tabtip.yml      | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/rules/windows/builtin/system/win_lpe_indicators_tabtip.yml b/rules/windows/builtin/system/win_lpe_indicators_tabtip.yml
index 391ed94ef..309cfedf9 100644
--- a/rules/windows/builtin/system/win_lpe_indicators_tabtip.yml
+++ b/rules/windows/builtin/system/win_lpe_indicators_tabtip.yml
@@ -13,11 +13,12 @@ logsource:
     product: windows
     service: system
 detection:
-    keywords:
-        - '{054AAE20-4BEA-4347-8A35-64A533254A9D}'
-        - '2147943140'
-        - 'C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe'
-    condition: all of keywords
+    selection:
+        EventID: 10001
+        param1: 'C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe'
+        param2: '2147943140'
+        param3: '{054AAE20-4BEA-4347-8A35-64A533254A9D}'
+    condition: selection
 falsepositives:
     - Unknown
 level: high

From d36e0dffeb2ee4a58f0eb11be529383ef1468ee4 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Fri, 7 Oct 2022 10:56:15 +0200
Subject: [PATCH 4/4] docs: adding comments for the params

---
 rules/windows/builtin/system/win_lpe_indicators_tabtip.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/rules/windows/builtin/system/win_lpe_indicators_tabtip.yml b/rules/windows/builtin/system/win_lpe_indicators_tabtip.yml
index 309cfedf9..2df4b2f32 100644
--- a/rules/windows/builtin/system/win_lpe_indicators_tabtip.yml
+++ b/rules/windows/builtin/system/win_lpe_indicators_tabtip.yml
@@ -15,9 +15,9 @@ logsource:
 detection:
     selection:
         EventID: 10001
-        param1: 'C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe'
-        param2: '2147943140'
-        param3: '{054AAE20-4BEA-4347-8A35-64A533254A9D}'
+        param1: 'C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe'  # is the Binary starting/started
+        param2: '2147943140'                                                     # is ERROR id
+        param3: '{054AAE20-4BEA-4347-8A35-64A533254A9D}'                         # is DCOM Server
     condition: selection
 falsepositives:
     - Unknown