← Library
sigmaDRL-1.1from SigmaHQ/sigma

Potential PetitPotam Attack Via EFS RPC Calls

Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam. The usage of this RPC function should be rare if ever used at all. Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate. View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..'

Quality
100
FP risk
Forks
0
Views
0
ATT&CK techniques
T1557.001T1187
Rule sourcerules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml
title: Potential PetitPotam Attack Via EFS RPC Calls
id: 4096842a-8f9f-4d36-92b4-d0b2a62f9b2a
status: test
description: |
    Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam.
    The usage of this RPC function should be rare if ever used at all.
    Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate.
     View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..'
references:
    - https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp
    - https://msrc.microsoft.com/update-guide/vulnerability/ADV210003
    - https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf
    - https://threatpost.com/microsoft-petitpotam-poc/168163/
author: '@neu5ron, @Antonlovesdnb, Mike Remen'
date: 2021-08-17
modified: 2022-11-28
tags:
    - attack.collection
    - attack.credential-access
    - attack.t1557.001
    - attack.t1187
logsource:
    product: zeek
    service: dce_rpc
detection:
    selection:
        operation|startswith: 'efs'
    condition: selection
falsepositives:
    - Uncommon but legitimate windows administrator or software tasks that make use of the Encrypting File System RPC Calls. Verify if this is common activity (see description).
level: medium