LoFP / unknown. feedback welcomed.

Techniques

• t1187

Sample rules

Possible PetitPotam Coerce Authentication Attempt

• source: sigma
• technicques:
  • t1187

Description

Detect PetitPotam coerced authentication activity.

Detection logic

condition: selection
selection:
  EventID: 5145
  RelativeTargetName: lsarpc
  ShareName|endswith: \IPC$
  ShareName|startswith: \\\\
  SubjectUserName: ANONYMOUS LOGON