Detecting SweetPotato

Rule added on 30th April, 2024

Rule type:

Correlation

Rule description:

SweetPotato is a post-exploitation tool that allows adversaries to gain unauthorized access to Windows systems. It primarily works by exploiting the weaknesses in Windows process tokens and impersonating users or system processes to grant elevated rights and permissions on the compromised target systems.

Attackers using this tool aim to escalate their privileges on target systems and gain unrestricted access to resources.

Impact:

It can be used by adversaries in the following ways:

  • Lateral movement
  • Data Breach
  • Persistent access to compromised systems

Data source:

Windows:

Required configuration: The rules is based on the process creation and termination. Prerequisites required are installing and configuring Sysmon, enabling audit process creation audit policy, and the command line auditing.

Relevant MITRE ATT&CK techniques and tactics:

Software- S0488

Criteria:

(Original file name contains "potato" OR Command line contains "sweetpotato")

'SweetPotato'- Use of 'sweetpotato' in command line may suggest that attackers are attempting to bypass the User Access Control (UAC), create backdoors, identifying services running with higher privileges and permissions.

When to enable this rule:

Enabling this rule will help you meet the security standards' requirements listed below:

Security standards (NIST CSF 2.0):

DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events

When this rule is triggered, you're notified when SweetPotato is being used within the network. This enables you to stop the runtime activity and prevent attacker goals.

PR.PS-05: Installation and execution of unauthorized software are prevented

When this rule is triggered, you're notified when SweetPotato is being used within the network. This enables you to detect the use of unauthorized softwares within the network and prevent credential theft and other attacker goals.

Known false positives: The tool might be used during pentesting and by blue teams to test the effectiveness of their defensive measures and incident response protocols.

Next steps:

When this alert is triggered, the following measures can be implemented:

  • Identification: Identify the alert as a new incident or within an ongoing incident.
  • Analysis: Analyze the impact and extent of the compromise to comprehend the severity of the attack.
  • Response: Respond promptly by initiating an automated workflow to cease the malicious process.
  • Patch Management: Ensure regular patch updates of softwares and systems to mitigate vulnerabilities that could be exploited by SweetPotato attacks.