splApache-2.0from splunk/security_content
PetitPotam Network Share Access Request
The following analytic detects network share access requests indicative of the PetitPotam attack (CVE-2021-36942). It leverages Windows Event Code 5145, which logs attempts to access network share objects. This detection is significant as PetitPotam can coerce authentication from domain controllers, potentially leading to unauthorized access. If confirmed malicious, this activity could allow attackers to escalate privileges or move laterally within the network, posing a severe security risk. Ensure Event Code 5145 is enabled via Group Policy to utilize this analytic effectively.
Quality
67
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/petitpotam_network_share_access_request.yml
`wineventlog_security` SubjectUserName="ANONYMOUS LOGON" EventCode=5145 RelativeTargetName=lsarpc
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest, SubjectUserSid, ShareName,
src, AccessMask, AccessReason
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `petitpotam_network_share_access_request_filter`