Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Possible PetitPotam Coerce Authentication Attempt

Detect PetitPotam coerced authentication activity.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Mauricio Velazco, Michael HaagCreated Thu Sep 02Updated Thu Aug 111ce8c8a3-2723-48ed-8246-906ac91061a6windows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security

Definition

The advanced audit policy setting "Object Access > Detailed File Share" must be configured for Success/Failure

Detection Logic
Detection Logic1 selector
detection:
    selection:
        EventID: 5145
        ShareName|startswith: '\\\\' # looking for the string \\somethink\IPC$
        ShareName|endswith: '\IPC$'
        RelativeTargetName: lsarpc
        SubjectUserName: ANONYMOUS LOGON
    condition: selection
False Positives

Unknown. Feedback welcomed.

References
1
Resolving title…
github.com
2
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
1ce8c8a3-2723-48ed-8246-906ac91061a6
Status
test
Level
high
Type
Detection
Created
Thu Sep 02
Modified
Thu Aug 11
Author
Mauricio Velazco, Michael Haag
Path
rules/windows/builtin/security/win_security_petitpotam_network_share.yml
Raw Tags
attack.credential-accessattack.t1187
View on GitHub