PetitPotam Network Share Access Request

Try in Splunk Security Cloud

Description

The following analytic utilizes Windows Event Code 5145, "A network share object was checked to see whether client can be granted desired access". During our research into PetitPotam, CVE-2021-36942, we identified the ocurrence of this event on the target host with specific values.
To enable 5145 events via Group Policy - Computer Configuration->Polices->Windows Settings->Security Settings->Advanced Audit Policy Configuration. Expand this node, go to Object Access (Audit Polices->Object Access), then select the Setting Audit Detailed File Share Audit
It is possible this is not enabled by default and may need to be reviewed and enabled.
During triage, review parallel security events to identify further suspicious activity.

• Type: TTP

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

• Last Updated: 2021-08-31
• Author: Michael Haag, Mauricio Velazco, Splunk
• ID: 95b8061a-0a67-11ec-85ec-acde48001122

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1187	Forced Authentication	Credential Access

Kill Chain Phase

• Exploitation

NIST

CIS20

CVE

ID	Summary	CVSS
CVE-2021-36942	Windows LSA Spoofing Vulnerability	5.0

Search

`wineventlog_security` Account_Name="ANONYMOUS LOGON" EventCode=5145 Relative_Target_Name=lsarpc 
| stats count min(_time) as firstTime max(_time) as lastTime by dest, Security_ID, Share_Name, Source_Address, Accesses, Message 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `petitpotam_network_share_access_request_filter`

Macros

The SPL above uses the following Macros:

• security_content_ctime
• wineventlog_security

petitpotam_network_share_access_request_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

• _time
• dest
• Security_ID
• Share_Name
• Source_Address
• Accesses
• Message

How To Implement

Windows Event Code 5145 is required to utilize this analytic and it may not be enabled in most environments.

Known False Positives

False positives have been limited when the Anonymous Logon is used for Account Name.

Associated Analytic Story

• PetitPotam NTLM Relay on Active Directory Certificate Services

RBA

Risk Score	Impact	Confidence	Message
56.0	80	70	A remote host is enumerating a $dest$ to identify permissions. This is a precursor event to CVE-2021-36942, PetitPotam.

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://attack.mitre.org/techniques/T1187/
• https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5145
• https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

• https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1187/petitpotam/windows-security.log

source | version: 1