title: Possible PetitPotam Coerce Authentication Attempt
author: Mauricio Velazco, Michael Haag
date: 2021/09/02
description: Detect PetitPotam coerced authentication activity.
detection:
    SELECTION_1:
        EventID: 5145
    SELECTION_2:
        ShareName: \\\*
    SELECTION_3:
        ShareName: '*\IPC$'
    SELECTION_4:
        RelativeTargetName: lsarpc
    SELECTION_5:
        SubjectUserName: ANONYMOUS LOGON
    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
falsepositives:
- Unknown. Feedback welcomed.
id: 1ce8c8a3-2723-48ed-8246-906ac91061a6
level: high
logsource:
    definition: The advanced audit policy setting "Object Access > Detailed File Share"
        must be configured for Success/Failure
    product: windows
    service: security
references:
- https://github.com/topotam/PetitPotam
- https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml
tags:
- attack.credential_access
- attack.t1187
yml_filename: win_petitpotam_network_share.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin