Potential Privilege Escalation Tool Execution - Potato Variants

Rule Info

Name
Potential Privilege Escalation Tool Execution - Potato Variants
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects execution of files ending with 'potato.exe' which are commonly associated with Windows privilege escalation tools. Various "Potato" exploits (like RottenPotato, JuicyPotato, SweetPotato) are known privilege escalation techniques that exploit Windows vulnerabilities to elevate privileges. These tools are frequently used by attackers post-exploitation to gain higher privileges on compromised systems.
Reference
Internal Research
Date
2025-04-03 00:00:00
Modified
None
Id
5b7a4b2a-0d1f-4e4c-8f4c-a4c3e5d3a2b1
Tags
attack.privilege-escalation attack.t1548
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022