PotaoDecoy | SOC Hunt Feed

Hunt Hypothesis

Adversaries may use the PotaoDecoy YARA rule to identify and evade detection by mimicking legitimate system behavior. SOC teams should proactively hunt for this behavior in Azure Sentinel to uncover potential deception tactics and assess the effectiveness of their defensive strategies.

YARA Rule

rule PotaoDecoy
{
    
    strings:
        $mz = { 4d 5a }
        $str1 = "eroqw11"
        $str2 = "2sfsdf"
        $str3 = "RtlDecompressBuffer"
        $wiki_str = "spanned more than 100 years and ruined three consecutive" wide
        $old_ver1 = {53 68 65 6C 6C 33 32 2E 64 6C 6C 00 64 61 66 73 72 00 00 00 64 61 66 73 72 00 00 00 64 6F 63 (00 | 78)}
        $old_ver2 = {6F 70 65 6E 00 00 00 00 64 6F 63 00 64 61 66 73 72 00 00 00 53 68 65 6C 6C 33 32 2E 64 6C 6C 00}       
    
    condition:
        ($mz at 0) and ( (all of ($str*)) or any of ($old_ver*) or $wiki_str )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

Microsoft Defender for Endpoint — Custom indicators / advanced hunting
Email Gateway — Attachment scanning
File Share Monitoring — Periodic scanning of shared drives
YARA CLI — Manual threat hunting on endpoints

This rule contains 7 string patterns in its detection logic.

Source Rule

False Positive Guidance

Scenario: A system administrator is using PowerShell to run a scheduled job that generates a file named PotaoDecoy.ps1 as part of a routine maintenance task.
Filter/Exclusion: Exclude files with .ps1 extensions or filter by the presence of PowerShell in the process name.
Scenario: A Windows Task Scheduler job is configured to create a temporary file named PotaoDecoy.tmp during a system cleanup process.
Filter/Exclusion: Exclude files with .tmp extensions or filter by the presence of Task Scheduler in the process name.
Scenario: A Windows Admin Center or PowerShell DSC configuration is generating a file named PotaoDecoy as part of a configuration baseline or compliance check.
Filter/Exclusion: Exclude files created by processes associated with Windows Admin Center or DSC (e.g., Microsoft.PowerShell.DesiredStateConfiguration).
Scenario: A log management tool such as Splunk or ELK Stack is generating a file named PotaoDecoy.log for temporary storage during data processing.
Filter/Exclusion: Exclude files with .log extensions or filter by the presence of Splunk or logstash in the process name.
Scenario: A backup tool like Veeam or Acronis is creating a file named PotaoDecoy.bak as part of a backup process.
Filter/Exclusion: Exclude files with .bak extensions or filter by the presence of Veeam or Acronis in the process name.