Sneed-Reactivity/yara-Neo23x0/gen_remote_potato0.yar


rule HKTL_SentinelOne_RemotePotato0_PrivEsc {
   meta:
      author = "SentinelOne"    
      description = "Detects RemotePotato0 binary"
      reference = "https://labs.sentinelone.com/relaying-potatoes-dce-rpc-ntlm-relay-eop"
      date = "2021-04-26"
      id = "f6dffd6b-e794-5c4a-9700-5c2022168f44"
   strings:    
      $import1 = "CoGetInstanceFromIStorage"
      $istorage_clsid = "{00000306-0000-0000-c000-000000000046}" nocase wide ascii    
      $meow_header = { 4d 45 4f 57 }
      $clsid1 = "{11111111-2222-3333-4444-555555555555}" wide ascii
      $clsid2 = "{5167B42F-C111-47A1-ACC4-8EABE61B0B54}" nocase wide ascii
   condition:       
      (uint16(0) == 0x5A4D) and $import1 and $istorage_clsid and $meow_header and 1 of ($clsid*)
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 12:43:35 -05:00
			`rule HKTL_SentinelOne_RemotePotato0_PrivEsc {`
			`meta:`
			`author = "SentinelOne"`
			`description = "Detects RemotePotato0 binary"`
			`reference = "https://labs.sentinelone.com/relaying-potatoes-dce-rpc-ntlm-relay-eop"`
			`date = "2021-04-26"`
			`id = "f6dffd6b-e794-5c4a-9700-5c2022168f44"`
			`strings:`
			`$import1 = "CoGetInstanceFromIStorage"`
			`$istorage_clsid = "{00000306-0000-0000-c000-000000000046}" nocase wide ascii`
			`$meow_header = { 4d 45 4f 57 }`
			`$clsid1 = "{11111111-2222-3333-4444-555555555555}" wide ascii`
			`$clsid2 = "{5167B42F-C111-47A1-ACC4-8EABE61B0B54}" nocase wide ascii`
			`condition:`
			`(uint16(0) == 0x5A4D) and $import1 and $istorage_clsid and $meow_header and 1 of ($clsid*)`
			`}`