Windows RottenPotato like attack pattern
Goal
Detects authentication patterns associated with RottenPotato and similar token impersonation attacks used to escalate privileges on Windows systems.
Strategy
This rule monitors Windows event logs for logon events (Event ID 4624) with specific characteristics that match the authentication pattern used in RottenPotato attacks. The detection looks for logon type 3 (network) authentications coming from the local loopback addresses (127.0.0.1 or ::1) with a blank workstation name ("-") and using the “ANONYMOUS LOGON” account. RottenPotato and similar attacks (such as JuicyPotato and SweetPotato) exploit the Windows token impersonation mechanism by setting up a fake NTLM authentication server locally and performing a man-in-the-middle attack against the system’s own NTLM authentication process. This technique allows attackers to capture and impersonate authentication tokens with SYSTEM privileges, effectively elevating their access rights from a lower-privileged account.
Triage & Response
- Examine the complete logon event details to confirm the RottenPotato attack pattern on
{{host}}. - Identify the local user account or process that was active at the time of the suspicious authentication.
- Check process creation logs preceding the event to determine what binary or script might have initiated the attack.
- Review file creation events for indicators that a privilege escalation tool was dropped onto the system.
- Analyze the process tree to understand the full attack chain leading to the token impersonation attempt.
- Remove any malicious binaries related to RottenPotato variants (common filenames include potato.exe, juicypotato.exe, sweetpotato.exe).
