https://foxglovesecurity.com/2016/01/16/hot-potato/

Hunt Hypothesis

Adversaries may use a compromised service account to pivot within the network by leveraging stolen credentials to access other systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential lateral movement and unauthorized access attempts.

YARA Rule

rule hacktool_windows_hot_potato
{
    meta:
        description = "https://foxglovesecurity.com/2016/01/16/hot-potato/"
        reference = "https://github.com/foxglovesec/Potato"
        author = "@mimeframe"
        id = "68799fd0-0aac-5c4e-a76c-594d48a5765d"
    strings:
        $a1 = "Parsing initial NTLM auth..." wide ascii
        $a2 = "Got PROPFIND for /test..." wide ascii
        $a3 = "Starting NBNS spoofer..." wide ascii
        $a4 = "Exhausting UDP source ports so DNS lookups will fail..." wide ascii
        $a5 = "Usage: potato.exe -ip" wide ascii
    condition:
        any of ($a*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

References

• https://github.com/foxglovesec/Potato
• Source Rule

False Positive Guidance

• Scenario: Legitimate file download via a package manager
  Description: A system administrator uses apt or yum to download and install a package, which results in a file being transferred from an external server.
  Filter/Exclusion: Check the process.name field to exclude known package managers like apt, yum, or dnf. Example: process.name != apt and process.name != yum.

• Scenario: Scheduled backup job transferring data
  Description: A scheduled backup job (e.g., rsync, tar, or backuppc) is transferring files from a remote server to a local storage device.
  Filter/Exclusion: Use process.name to exclude backup tools like rsync, tar, or backuppc. Example: process.name != rsync and process.name != tar.

• Scenario: Admin using scp or sftp for file transfer
  Description: A system administrator uses scp or sftp to securely transfer files between servers, which may trigger the rule due to the file transfer activity.
  Filter/Exclusion: Filter by process.name to exclude scp and sftp. Example: process.name != scp and process.name != sftp.

• Scenario: Software update via a remote repository
  Description: A system receives an update from a remote repository (e.g., git pull, svn update, or docker pull), which may be flagged due to the network activity.
  Filter/Exclusion: Use process.name to exclude version control tools like git, svn, or docker. Example: process.name != git and process.name != docker.

• Scenario: Log file rotation or archival
  Description: A log rotation tool (