Rules Contributing to Possible PetitPotam Coerce Authentication Attempt Alert

The following rules detect suspicious SMB traffic related to PetitPotam coerced authentication. Any one or more of these will trigger the Possible PetitPotam Coerce Authentication Attempt Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

Possible PetitPotam Coerce Authentication Attempt

Detect PetitPotam coerced authentication activity.

Rule ID

network_security_4

Query

{'selection': {'appid_name': 'smb', 'metadata|contains|all': ['IPC$', 'lsarpc', 'ANONYMOUS LOGON']}, 'condition': 'selection'}

Log Source

Stellar Cyber Network Events configured for:

  • Requirements: Network/Security/Modular sensor must be able to capture network traffic

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0006, T1187

References

Severity

75

Suppression Logic Based On

  • appid_name
  • srcip
  • dstip
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
test 2024/07/05 high

  • Unknown.