PotaoSecondStage

Hunt Hypothesis

The PotaoSecondStage rule detects potential second-stage payload execution associated with the Potao malware, indicating an adversary may be establishing persistence or escalating privileges. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts before they lead to deeper network infiltration.

YARA Rule

rule PotaoSecondStage
{

    strings:
        $mz = { 4d 5a }
        // hash of CryptBinaryToStringA and CryptStringToBinaryA
        $binary1 = {51 7A BB 85 [10-180] E8 47 D2 A8}
        // old hash of CryptBinaryToStringA and CryptStringToBinaryA
        $binary2 = {5F 21 63 DD [10-30] EC FD 33 02}
        $binary3 = {CA 77 67 57 [10-30] BA 08 20 7A}        
        $str1 = "?AVCrypt32Import@@"
        $str2 = "%.5llx"
    
    condition:
        ($mz at 0) and any of ($binary*) and any of ($str*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 6 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task running a script to update system configurations or perform disk cleanup.
  Filter/Exclusion: process.name != "schtasks.exe" or process.name != "task scheduler"

• Scenario: Admin Performing Remote Desktop Session
  Description: An administrator using Remote Desktop Protocol (RDP) to access a server and execute commands.
  Filter/Exclusion: process.name != "mstsc.exe" or process.parent.name != "rdpclip.exe"

• Scenario: Software Update Deployment via SCCM
  Description: A Software Center or Configuration Manager (SCCM) update deployment triggering a script or executable.
  Filter/Exclusion: process.name != "msiexec.exe" or process.parent.name != "ccmexec.exe"

• Scenario: Backup Job Execution
  Description: A scheduled backup job using tools like Veeam, Commvault, or VSS (Volume Shadow Copy Service) is running.
  Filter/Exclusion: process.name != "vssadmin.exe" or process.name != "veeam.exe"

• Scenario: PowerShell Script for System Monitoring
  Description: A PowerShell script written by the admin for system monitoring or log analysis is executing.
  Filter/Exclusion: process.name != "powershell.exe" or process.parent.name != "explorer.exe"