35 lines
1.0 KiB
YAML
35 lines
1.0 KiB
YAML
|
|
title: Possible PetitPotam Coerce Authentication Attempt
|
|
author: Mauricio Velazco, Michael Haag
|
|
date: 2021/09/02
|
|
description: Detect PetitPotam coerced authentication activity.
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 5145
|
|
SELECTION_2:
|
|
ShareName: \\\*
|
|
SELECTION_3:
|
|
ShareName: '*\IPC$'
|
|
SELECTION_4:
|
|
RelativeTargetName: lsarpc
|
|
SELECTION_5:
|
|
SubjectUserName: ANONYMOUS LOGON
|
|
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
|
|
falsepositives:
|
|
- Unknown. Feedback welcomed.
|
|
id: 1ce8c8a3-2723-48ed-8246-906ac91061a6
|
|
level: high
|
|
logsource:
|
|
definition: The advanced audit policy setting "Object Access > Detailed File Share"
|
|
must be configured for Success/Failure
|
|
product: windows
|
|
service: security
|
|
references:
|
|
- https://github.com/topotam/PetitPotam
|
|
- https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml
|
|
status: experimental
|
|
tags:
|
|
- attack.credential_access
|
|
- attack.t1187
|
|
ruletype: SIGMA
|