Possible PetitPotam Coerce Authentication Attempt

 1title: Possible PetitPotam Coerce Authentication Attempt
 2id: 1ce8c8a3-2723-48ed-8246-906ac91061a6
 3status: test
 4description: Detect PetitPotam coerced authentication activity.
 5references:
 6    - https://github.com/topotam/PetitPotam
 7    - https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml
 8author: Mauricio Velazco, Michael Haag
 9date: 2021/09/02
10modified: 2022/08/11
11tags:
12    - attack.credential_access
13    - attack.t1187
14logsource:
15    product: windows
16    service: security
17    definition: 'The advanced audit policy setting "Object Access > Detailed File Share" must be configured for Success/Failure'
18detection:
19    selection:
20        EventID: 5145
21        ShareName|startswith: '\\\\' # looking for the string \\somethink\IPC$
22        ShareName|endswith: '\IPC$'
23        RelativeTargetName: lsarpc
24        SubjectUserName: ANONYMOUS LOGON
25    condition: selection
26falsepositives:
27    - Unknown. Feedback welcomed.
28level: high

References

• GitHub - topotam/PetitPotam: PoC tool to coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw or other functions.

  

  PoC tool to coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw or other functions. - topotam/PetitPotam

  
  Read More

• security_content/detections/endpoint/petitpotam_network_share_access_request.yml at 0dd6de32de2118b2818550df9e65255f4109a56d · splunk/security_content

  

  Splunk Security Content. Contribute to splunk/security_content development by creating an account on GitHub.

  
  Read More

Related rules

• PetitPotam Suspicious Kerberos TGT Request
• Added Owner To Application
• App Granted Microsoft Permissions
• Application AppID Uri Configuration Changes
• Application URI Configuration Changes