Detects execution of Potato-family privilege escalation tools on Windows by matching the original_file_name, process name, or binary path against a known Potato-artifact list (e.g., CertPotato, JuicyPotato, LocalPotato, GhostPotato, RottenPotato, etc.). Potato tools abuse Windows token impersonation to escalate from a service account, IIS worker process, or other restricted context to SYSTEM. The typical chain involves tricking a SYSTEM-level process into authenticating to an attacker-controlled endpoint, capturing the authentication, and impersonating the SYSTEM token to spawn an elevated process. The rule leverages EDR telemetry (process creation) and maps to the Endpoint data model to flag cases where Process.original_file_name or Process.process_path matches any Potato variant. The search operates over data from Sysmon (EventID 1), Windows Security (Event 4688), and CrowdStrike ProcessRollup2, aggregating detections by process/process attributes and related metadata, and providing drilldowns for user/destination context. It is designed to be implemented in Splunk ES or similar platforms by ingesting complete command lines and ensuring data is normalized to the CIM Endpoint.Processes schema for efficient querying. The rule supports risk and provenance insights via related risk events and MITRE ATT&CK mapping (T1068). It includes guidance for implementation, false positives considerations, and references to Potato-family analyses, along with drilldown and true-positive test artifacts.