Detecting the presence of BadPotato tool

Prerequisite:

The rule requires Sysmon to be enabled for proper functioning.

Rule type:

Correlation rule

Rule description:

This correlation rule aims to identify the usage of BadPotato, a tool designed to escalate user privileges on Windows systems and execute system-level commands.

By employing BadPotato, adversaries can execute attacks such as:

• Privilege escalation
• Lateral movement
• Persistence
• Data exfiltration

Data source:

Windows: user account, process, script

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA0004 - Privilege Escalation, TA0008 - Lateral Movement

Techniques: T1068 - Exploitation for Privilege Escalation, T1021 - Remote Services

Sub-techniques: T1021.001 - Remote Services : Remote Desktop Protocol, T1021.002 - Remote Services : SMB/Windows Admin Shares, T1021.003 - Remote Services : Distributed Component Object Model, T1021.004 - Remote Services : SSH

Criteria:

Original file name contains "BadPotato" "BadPotato" is a well-known tool used by attackers to escalate privileges on a system. This rule checks if the name of a file being executed includes "BadPotato".

Process name contains "BadPotato" Malicious actors might try to hide their activity by renaming the original file but forget to change the process name. This part of the rule checks if the name of a running process includes "BadPotato".

When to implement:

This correlation rule should be enabled when the user wants to detect malicious activity on Windows systems that might involve privilege escalation, lateral movement, persistence, or data exfiltration.

Compliance mapping:

Enabling this rule will help you meet the below requirements of regulatory standards and compliance mandates pertaining to the detection of malicious software installations.

NIST Cybersecurity Framework (CSF):

• Anomalies in System Process Execution (DE.AE-1): Detection of unusual process executions or command-line arguments indicative of BadPotato usage, such as attempts to exploit Windows authentication mechanisms.
• Irregular Access to Credential Stores (DE.CM-1): Identification of unauthorized access attempts or modifications related to credential stores or system services.
• Security Log Anomalies (DE.CM-7): Alerting on activities indicating attempts to exploit authentication vulnerabilities or escalate privileges.

CIS:

• Control 8: Malware Defense: Implement mechanisms to detect and prevent the execution of BadPotato and similar tools targeting Windows authentication vulnerabilities.
• Control 6: Maintenance, Monitoring, and Analysis of Audit Logs: Continuously monitor audit logs for anomalies indicating BadPotato usage or suspicious activities targeting authentication mechanisms.

Next steps:

Upon triggering this alert, the following actions can be taken:

• Identification: Mark this alert as a part of an existing incident or initiate a new incident. Assign the incident to an analyst for in-depth examination.
• Analysis: Conduct an impact investigation and thoroughly analyze the degree of compromise utilizing the Incident Workbench to gain insights into the threat's severity.
• Response: Initiate automated workflow execution to swiftly terminate the identified malicious process, leveraging Workflows for prompt mitigation.