EfsPotato has been observed in the wild in computer intrusions: https://pinboard.in/u:droberson/t:efspotato/ rule efspotato { meta: description = "EfsPotato privilege escalation exploit" reference = "https://github.com/zcgonvh/EfsPotato" strings: $efspotato = "EfsPotato" condition: uint16(0) == 0x5a4d and $efspotato } YARA Rules Index