Malware

JuicyPotato

IoCs CSV 1 YARA rule

As described on the Github repository page, "A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM".

Indicators of Compromise 13

MITRE ATT&CK TTPs 10

YARA Detection Rules

JuicyPotato_YARA_Detection
yara ai_generated
rule JuicyPotato_Detection {
    meta:
        description = "Detects JuicyPotato privilege escalation exploit based on behavioral characteristics and known artifacts"
        author = "AI Generated"
        confidence = "high"
        reference = "ATT&CK T1212 - Abuse of Windows Token Manipulation"
        category = "exploit"

    strings:
        $s1 = "CreateService" ascii wide
        $s2 = "OpenSCManager" ascii wide
        $s3 = "SetNamedSecurityInfo" ascii wide
        $s4 = "GetCurrentUser" ascii wide
        $s5 = "NT AUTHORITY\\SYSTEM" ascii wide
        $s6 = "Token Manipulation" ascii wide
        $s7 = "CreateProcessWithToken" ascii wide
        $s8 = "advapi32.dll" ascii wide
        $s9 = "SeDebugPrivilege" ascii wide
        $s10 = "DuplicateToken" ascii wide
        $x1 = "PerfWatson2.exe" ascii wide
        $x2 = "AppDomainManager" ascii wide
        $x3 = "MyAppDomainManager.dll" ascii wide

    condition:
        uint16(0) == 0x5A4D and
        filesize < 100KB and
        (any of ($s*) or all of ($x*)) and
        (pe.imphash() matches {
            "f34bd1d485de437fe18360d1e850c3fd64415e49d691e610711d8d232071a0b1",
            "dce5df29bddff5a4ddaea5c4fec14da91f7b69063a6e1c45ed61e5da4fc6c87b",
            "cbfe8de6ffadbb1d396f61e63eb18e8b11c29527c1528641e3223d4c516cf7c3"
        } or
        md5(0, filesize) matches {
            "00e09754526d0fe836ba27e3144ae161",
            "4e1f8888d020decd09799ec946f1bf67"
        })
}

Rules are AI-generated and unvalidated. Test in a safe environment before production use.

Source Articles