Techniques
Sample rules
PetitPotam Network Share Access Request
- source: splunk
- technicques:
- T1187
Description
The following analytic utilizes Windows Event Code 5145, “A network share object was checked to see whether client can be granted desired access”. During our research into PetitPotam, CVE-2021-36942, we identified the ocurrence of this event on the target host with specific values. To enable 5145 events via Group Policy - Computer Configuration->Polices->Windows Settings->Security Settings->Advanced Audit Policy Configuration. Expand this node, go to Object Access (Audit Polices->Object Access), then select the Setting Audit Detailed File Share Audit It is possible this is not enabled by default and may need to be reviewed and enabled.
During triage, review parallel security events to identify further suspicious activity.
Detection logic
`wineventlog_security` SubjectUserName="ANONYMOUS LOGON" EventCode=5145 RelativeTargetName=lsarpc
| stats count min(_time) as firstTime max(_time) as lastTime by dest, SubjectUserSid, ShareName, src, AccessMask, AccessReason
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `petitpotam_network_share_access_request_filter`