100 Days of YARA – Day 43: EfsPotato

EfsPotato has been observed in the wild in computer intrusions: https://pinboard.in/u:droberson/t:efspotato/

rule efspotato
{
	meta:
		description = "EfsPotato privilege escalation exploit"
		reference = "https://github.com/zcgonvh/EfsPotato"

	strings:
		$efspotato = "EfsPotato"

	condition:
		uint16(0) == 0x5a4d and $efspotato
}

YARA Rules Index

One thought on “100 Days of YARA – Day 43: EfsPotato

  1. Pingback: Week 06 – 2022 – This Week In 4n6

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s