Detection rules › Sigma
Potential SMB Relay Attack Tool Execution
Detects different hacktools used for relay attacks on Windows for privilege escalation
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1557.001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay |
| Collection | T1557.001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
| Security-Auditing | 4688 | A new process has been created. |
Stages and Predicates
Stage 1: 1 of selection_pe
or:
Image|contains: HotPotato
Image|contains: 'Juicy Potato'
Image|contains: JuicyPotato
Image|contains: PetitPotam
Image|contains: RottenPotato
Image|contains: '\LocalPotato'
Image|contains: '\Potato.exe'
Image|contains: '\Responder.exe'
Image|contains: '\SpoolSample.exe'
Image|contains: '\just_dce_'
Image|contains: '\ntlmrelayx'
Image|contains: '\smbrelayx'
Image|contains: '\temp\rot.exe'
Stage 2: 1 of selection_script
or:
CommandLine|contains: ' /ntlm:NTLMhash '
CommandLine|contains: ' ntlmrelay'
CommandLine|contains: ' smbrelay'
CommandLine|contains: '.exe -t * -p '
CommandLine|contains: Invoke-PetitPotam
CommandLine|contains: Invoke-Tater
CommandLine|contains: 'cme smb '
Stage 3: 1 of selection_juicypotato_enum
CommandLine|endswith: '}" -z'
CommandLine|contains: '.exe -c "{'
Stage 4: not 1 of filter_hotpotatoes
or:
Image|contains: 'HotPotatoes '
Image|contains: HotPotatoes6
Image|contains: HotPotatoes7
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | ends_with |
|
CommandLine | match |
|
Image | match |
|