LoFP LoFP / some legitimate security tools or authorized pentesting software may use potato privilege escalation methods for testing purposes. filter alerts based on approved security testing activities.

Techniques

Sample rules

Windows Potato Privilege Escalation Tool Execution

Description

Detects execution of known Potato-family privilege escalation tools based on original file name, process name, or binary path. A tool class that has been a dominant post-compromise privilege escalation method for over a decade and remains actively used by ransomware operators, red teams, and nation-state actors alike. The Potato family exploits Windows token impersonation and privilege abuse to escalate from a service account, IIS worker process, or other restricted context to SYSTEM. The core abuse chain across most variants involves tricking a SYSTEM-level process into authenticating to an attacker-controlled endpoint, capturing that authentication, and impersonating the resulting SYSTEM token to spawn an elevated process.

Detection logic


| tstats summariesonly=false allow_old_summaries=true
  count min(_time) as firstTime
        max(_time) as lastTime

from datamodel=Endpoint.Processes where

Processes.original_file_name IN (
    "*CertPotato*",
    "*CoercedPotato*",
    "*GenericPotato*",
    "*GhostPotato*",
    "*GodPotato*",
    "*HotPotato*",
    "*JuicyPotato*",
    "*LocalPotato*",
    "*LonelyPotato*",
    "*RoguePotato*",
    "*RottenPotato*",
    "*SharpPotato*",
    "*SweetPotato*"
)
OR Processes.process_path IN (
    "*CertPotato*",
    "*CoercedPotato*",
    "*GenericPotato*",
    "*GhostPotato*",
    "*GodPotato*",
    "*HotPotato*",
    "*JuicyPotato*",
    "*LocalPotato*",
    "*LonelyPotato*",
    "*RoguePotato*",
    "*RottenPotato*",
    "*SharpPotato*",
    "*SweetPotato*"
)

by Processes.process Processes.vendor_product Processes.user_id Processes.process_hash
   Processes.parent_process_name Processes.parent_process_exec Processes.action
   Processes.dest Processes.process_current_directory Processes.process_path
   Processes.process_integrity_level Processes.original_file_name Processes.parent_process
   Processes.parent_process_path Processes.parent_process_guid Processes.parent_process_id
   Processes.process_guid Processes.process_id Processes.user Processes.process_name


| `drop_dm_object_name(Processes)`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_potato_privilege_escalation_tool_execution_filter`