Detection rules › Splunk
PetitPotam Network Share Access Request
The following analytic detects network share access requests indicative of the PetitPotam attack (CVE-2021-36942). It leverages Windows Event Code 5145, which logs attempts to access network share objects. This detection is significant as PetitPotam can coerce authentication from domain controllers, potentially leading to unauthorized access. If confirmed malicious, this activity could allow attackers to escalate privileges or move laterally within the network, posing a severe security risk. Ensure Event Code 5145 is enabled via Group Policy to utilize this analytic effectively.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1187 Forced Authentication |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 5145 | A network share object was checked to see whether client can be granted desired access. |
Stages and Predicates
Stage 1: search
search EventCode=5145 RelativeTargetName="lsarpc" SubjectUserName="ANONYMOUS LOGON"
Stage 2: stats
stats BY dest, SubjectUserSid, ShareName, src, AccessMask, AccessReason
Stage 3: search
search
Stage 4: search
search
Stage 5: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
RelativeTargetName | eq |
|
SubjectUserName | eq |
|
Neighbors
Broader alternatives (more inclusive than this rule)
These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.
- Transferring Files with Credential Data via Network Shares (drops 3 filters this rule applies)