Potao

Hunt Hypothesis

The Potao YARA rule detects potential malicious artifacts linked to the name ‘Potao’, which may indicate targeted attacks by specific threat actors. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats associated with this campaign.

YARA Rule

rule Potao
{

    meta:
        Author      = "Anton Cherepanov"
        Date        = "2015/07/29"
        Description = "Operation Potao"
        Reference   = "http://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-Express_final_v2.pdf"
        Source = "https://github.com/eset/malware-ioc/"
        Contact = "[email protected]"
        License = "BSD 2-Clause"
    
    condition:
        PotaoDecoy or PotaoDll or PotaoUSB or PotaoSecondStage
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate system maintenance task named “Potao” is scheduled via Task Scheduler to perform disk cleanup or system optimization.
  Filter/Exclusion: Exclude tasks with the TaskName containing “System Maintenance” or “Disk Cleanup” using the filter:
  TaskName contains "System Maintenance" or TaskName contains "Disk Cleanup"

• Scenario: Admin Tool for Patch Management
  Description: An administrator uses a tool named “Potao” as part of a patch management process to apply updates to endpoints.
  Filter/Exclusion: Exclude processes associated with known patch management tools (e.g., Microsoft Update, WSUS) using the filter:
  ProcessName contains "wusa.exe" or ProcessName contains "wsus"

• Scenario: Backup Job with Custom Name
  Description: A backup job named “Potao” is configured in a backup solution like Veeam or Acronis to back up critical data.
  Filter/Exclusion: Exclude processes related to backup tools using the filter:
  ProcessName contains "veeam" or ProcessName contains "acronis"

• Scenario: Custom Script for Log Analysis
  Description: A script named “Potao.ps1” is used by the SOC team to analyze logs and detect anomalies.
  Filter/Exclusion: Exclude PowerShell scripts located in the SOC analysis directory (e.g., C:\SOC\Scripts) using the filter:
  FileDirectory contains "C:\\SOC\\Scripts\\"

• Scenario: Legitimate Software with Misleading Name
  Description: A legitimate software tool (e.g., “Potao” as a project name) is used by developers for internal purposes.
  Filter/Exclusion: Exclude processes from known internal development tools or projects using the filter: