Detectionmediumtest

Potential PetitPotam Attack Via EFS RPC Calls

Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam. The usage of this RPC function should be rare if ever used at all. Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate. View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..'

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

@neu5ron, @antonlovesdnb, Mike RemenCreated Tue Aug 17Updated Mon Nov 284096842a-8f9f-4d36-92b4-d0b2a62f9b2anetwork

Log Source

Zeek (Bro)dce_rpc

ProductZeek (Bro)← raw: zeek

Servicedce_rpc← raw: dce_rpc

Detection Logic

detection:
    selection:
        operation|startswith: 'efs'
    condition: selection

False Positives

Uncommon but legitimate windows administrator or software tasks that make use of the Encrypting File System RPC Calls. Verify if this is common activity (see description).

References

MITRE ATT&CK

Tactics

TA0009 · Collection TA0006 · Credential Access