
Summary
This detection rule aims to identify the execution of the LocalPotato tool, which is known for its potential use in privilege escalation on Windows systems. The rule utilizes process creation logs to detect specific behaviors and characteristics associated with LocalPotato's execution. It focuses on matching certain executable names, command-line arguments, and import hash values associated with the LocalPotato binary. The condition for triggering an alert is based on any one of the defined selection criteria being met, increasing the likelihood of catching unauthorized use of the tool. Given its capability to bypass traditional security measures to escalate privileges, this rule is crucial for organizations focused on maintaining endpoint security and preventing misuse of such tools in their infrastructure.
Categories
- Endpoint
- Windows
Data Sources
- Process
Created: 2023-02-14