← Back to Explore
sigmahighHunting
Possible PetitPotam Coerce Authentication Attempt
Detect PetitPotam coerced authentication activity.
Detection Query
selection:
EventID: 5145
ShareName|startswith: \\\\
ShareName|endswith: \IPC$
RelativeTargetName: lsarpc
SubjectUserName: ANONYMOUS LOGON
condition: selection
Author
Mauricio Velazco, Michael Haag
Created
2021-09-02
Data Sources
windowssecurity
Platforms
windows
References
Tags
attack.credential-accessattack.t1187
Raw Content
title: Possible PetitPotam Coerce Authentication Attempt
id: 1ce8c8a3-2723-48ed-8246-906ac91061a6
status: test
description: Detect PetitPotam coerced authentication activity.
references:
- https://github.com/topotam/PetitPotam
- https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml
author: Mauricio Velazco, Michael Haag
date: 2021-09-02
modified: 2022-08-11
tags:
- attack.credential-access
- attack.t1187
logsource:
product: windows
service: security
definition: 'The advanced audit policy setting "Object Access > Detailed File Share" must be configured for Success/Failure'
detection:
selection:
EventID: 5145
ShareName|startswith: '\\\\' # looking for the string \\somethink\IPC$
ShareName|endswith: '\IPC$'
RelativeTargetName: lsarpc
SubjectUserName: ANONYMOUS LOGON
condition: selection
falsepositives:
- Unknown. Feedback welcomed.
level: high