Potential PetitPotam Attack Via EFS RPC Calls
Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam. The usage of this RPC function should be rare if ever used at all. Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate. View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..'
Sigma rule (View on GitHub)
1title: Potential PetitPotam Attack Via EFS RPC Calls
2id: 4096842a-8f9f-4d36-92b4-d0b2a62f9b2a
3status: test
4description: |
5 Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam.
6 The usage of this RPC function should be rare if ever used at all.
7 Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate.
8 View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..'
9references:
10 - https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp
11 - https://msrc.microsoft.com/update-guide/vulnerability/ADV210003
12 - https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf
13 - https://threatpost.com/microsoft-petitpotam-poc/168163/
14author: '@neu5ron, @Antonlovesdnb, Mike Remen'
15date: 2021-08-17
16modified: 2022-11-28
17tags:
18 - attack.t1557.001
19 - attack.t1187
20logsource:
21 product: zeek
22 service: dce_rpc
23detection:
24 selection:
25 operation|startswith: 'efs'
26 condition: selection
27fields:
28 - id.orig_h
29 - id.resp_h
30 - id.resp_p
31 - operation
32 - endpoint
33 - named_pipe
34 - uid
35falsepositives:
36 - Uncommon but legitimate windows administrator or software tasks that make use of the Encrypting File System RPC Calls. Verify if this is common activity (see description).
37level: medium
References
-
PoC tool to coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw or other functions. - topotam/PetitPotam
Read More -
You are now in line. Thank you for your patience. We are experiencing a high volume of traffic and using a virtual queue to limit the amount of users on the website at the same time. This will ensu...
Read More -
Microsoft releases mitigations for a Windows NT LAN Manager exploit that forces remote Windows systems to reveal password hashes that can be easily cracked.
Read More
Related rules
- HackTool - ADCSPwn Execution
- HackTool - Impacket Tools Execution
- Local Privilege Escalation Indicator TabTip
- PetitPotam Suspicious Kerberos TGT Request
- Possible PetitPotam Coerce Authentication Attempt