From 2615006f39c5b8a3233362c9997f1e7b830f22c6 Mon Sep 17 00:00:00 2001 From: rabbitstack Date: Mon, 9 Feb 2026 18:57:59 +0100 Subject: [PATCH] feat(rules): Add Potential privilege escalation via DeadPotato exploit rule Detects potential privilege escalation activity consistent with the DeadPotato exploit. Attackers can abuse the DCOM RPCSS service flaw to start an elevated process allowing unrestricted access over the machine for critical operations to be freely performed. --- ...lege_escalation_via_deadpotato_exploit.yml | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 rules/privilege_escalation_potential_privilege_escalation_via_deadpotato_exploit.yml diff --git a/rules/privilege_escalation_potential_privilege_escalation_via_deadpotato_exploit.yml b/rules/privilege_escalation_potential_privilege_escalation_via_deadpotato_exploit.yml new file mode 100644 index 000000000..419625f04 --- /dev/null +++ b/rules/privilege_escalation_potential_privilege_escalation_via_deadpotato_exploit.yml @@ -0,0 +1,33 @@ +name: Potential privilege escalation via DeadPotato exploit +id: 3911130a-b71c-4994-a7c3-5ae07dc0abe0 +version: 1.0.0 +description: | + Detects potential privilege escalation activity consistent with the DeadPotato + exploit. Attackers can abuse the DCOM RPCSS service flaw to start an elevated + process allowing unrestricted access over the machine for critical operations to + be freely performed. +labels: + tactic.id: TA0004 + tactic.name: Privilege Escalation + tactic.ref: https://attack.mitre.org/tactics/TA0004/ + technique.id: T1068 + technique.name: Exploitation for Privilege Escalation + technique.ref: https://attack.mitre.org/techniques/T1068/ +references: + - https://github.com/lypd0/DeadPotato + +condition: > + sequence + maxspan 1m + |connect_socket and + ps.name = 'svchost.exe' and ps.args intersects ('-k', 'RPCSS') and + net.dport = 135 and (net.dip = 127.0.0.1 or net.dip = '::1') + | + |spawn_process and + ps.token.integrity_level = 'SYSTEM' and + ps.exe not imatches '?:\\WINDOWS\\system32\\conhost.exe' + | + +severity: high + +min-engine-version: 3.0.0