Possible PetitPotam Coerce Authentication Attempt
Detect PetitPotam coerced authentication activity.
Sigma rule (View on GitHub)
1title: Possible PetitPotam Coerce Authentication Attempt
2id: 1ce8c8a3-2723-48ed-8246-906ac91061a6
3status: test
4description: Detect PetitPotam coerced authentication activity.
5references:
6 - https://github.com/topotam/PetitPotam
7 - https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml
8author: Mauricio Velazco, Michael Haag
9date: 2021-09-02
10modified: 2022-08-11
11tags:
12 - attack.credential-access
13 - attack.t1187
14logsource:
15 product: windows
16 service: security
17 definition: 'The advanced audit policy setting "Object Access > Detailed File Share" must be configured for Success/Failure'
18detection:
19 selection:
20 EventID: 5145
21 ShareName|startswith: '\\\\' # looking for the string \\somethink\IPC$
22 ShareName|endswith: '\IPC$'
23 RelativeTargetName: lsarpc
24 SubjectUserName: ANONYMOUS LOGON
25 condition: selection
26falsepositives:
27 - Unknown. Feedback welcomed.
28level: high
References
-
PoC tool to coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw or other functions. - topotam/PetitPotam
Read More -
Splunk Security Content. Contribute to splunk/security_content development by creating an account on GitHub.
Read More
Related rules
- PetitPotam Suspicious Kerberos TGT Request
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- ADCS Certificate Template Configuration Vulnerability
- ADCS Certificate Template Configuration Vulnerability with Risky EKU