HackTool - CoercedPotato Execution

Severity: high
Author: Florian Roth (Nextron Systems)
Source: upstream

Detects the use of CoercedPotato, a tool for privilege escalation

MITRE ATT&CK coverage

Tactic	Techniques
Privilege Escalation	`T1055` Process Injection
Defense Evasion	`T1055` Process Injection

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `1 of selection_loader_img`

Image|endswith: '\CoercedPotato.exe'

Stage 2: `1 of selection_params`

CommandLine|contains: ' --exploitId '

Stage 3: `1 of selection_loader_imphash`

or:
Hashes|contains: 'IMPHASH=14C81850A079A87E83D50CA41C709A15'
Hashes|contains: 'IMPHASH=A75D7669DB6B2E107A44C4057FF7F7D6'
Hashes|contains: 'IMPHASH=F91624350E2C678C5DCBE5E1F24E22C9'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`--exploitId`
`Hashes`	match	`IMPHASH=14C81850A079A87E83D50CA41C709A15` `IMPHASH=A75D7669DB6B2E107A44C4057FF7F7D6` `IMPHASH=F91624350E2C678C5DCBE5E1F24E22C9`
`Image`	ends_with	`\CoercedPotato.exe` corpus 2 (sigma 2)