BadPotato
BadPotato is a Windows privilege-escalation tool/exploit used to elevate execution to local NT AUTHORITY\SYSTEM. The provided content describes it as similar to SharpToken and as part of the broader 'Potato' family of named-pipe impersonation and token abuse tools. It is used for local privilege escalation and command execution with SYSTEM privileges. Multiple sources in the content state that APT41 used a ConfuserEx-obfuscated BADPOTATO exploit to abuse named-pipe impersonation for local NT AUTHORITY\SYSTEM privilege escalation during campaign C0017. The content also notes BadPotato was obtained as a publicly available tool by APT41. Separately, SentinelLABS reported DragonSpark used BadPotato as a tool to elevate privileges to SYSTEM, and Unit 42 observed attackers in intrusion cluster CL-STA-0046 attempting privilege escalation with the Potato Suite, including JuicyPotato, BadPotato, and SweetPotato. In MS-SQL intrusion reporting, a ShadowForce-related CLR SqlShell variant named CLR_module was described as embedding privilege-escalation tools such as BadPotato and EfsPotato, indicating use as a post-compromise helper in SQL Server attacks. High-confidence behavior from the content is limited to local Windows privilege escalation via named-pipe impersonation/token abuse to obtain SYSTEM; no standalone infection vector or specific IOCs for BadPotato itself are provided.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
BadPotato: a tool similar to SharpToken that elevates user privileges to SYSTEM for command execution.
Techniques & procedures
3 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueThe content repeatedly states that threat actors 'obtained,' 'acquired,' or 'used' publicly available, open-source, legitimate, or modified tools such as Mimikatz, Cobalt Strike, PsExec, Empire, Impacket, and many others.
Initial Access
1 techniquePersistence
1 techniquePrivilege Escalation
2 techniquesUsing tools such as BadPotato, SweetPotato, GodPotato, or PrinterNotifyPotato for privilege escalation on Windows systems; Exploiting CVE-2021-4034, CVE-2021-22555, and CVE-2016-5195 for privilege escalation on Linux systems
Stealth
1 techniqueRecent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Potato-family local privilege escalation tool used in attempted privilege escalation.
Windows local privilege escalation tool referenced as being embedded/available within a CLR SqlShell variant (CLR_module) to elevate privileges post-compromise.
Windows privilege-escalation tool used to obtain SYSTEM-level execution for follow-on actions (e.g., tool deployment, lateral movement).
A local privilege escalation exploit/tool used to obtain NT AUTHORITY\SYSTEM via named-pipe impersonation.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.