EfsPotato has been observed in the wild in computer intrusions: https://pinboard.in/u:droberson/t:efspotato/
rule efspotato
{
meta:
description = "EfsPotato privilege escalation exploit"
reference = "https://github.com/zcgonvh/EfsPotato"
strings:
$efspotato = "EfsPotato"
condition:
uint16(0) == 0x5a4d and $efspotato
}
Pingback: Week 06 – 2022 – This Week In 4n6