Detecting PetitPotam

Rule added on 30th April, 2024

Rule type:

Correlation

Rule description:

PetitPotam is a Windows vulnerability that can be exploited by the adversaries to launch NTLM relay attacks. The tool takes advantage of Microsoft's Encrypting File System Remote protocol (MS-EFSRPC) that is responsible for the maintenance and management operations on encrypted data that is stored remotely.

Impact:

It can be used by adversaries in the following ways:

  • Interception of NTLM authentication requests
  • Credential theft
  • Privelege escalation
  • Lateral movement

Data source:

Windows:

Required configuration: The rules is based on the process creation and termination. Prerequisites required are installing and configuring Sysmon, enabling audit process creation audit policy, and the command line auditing.

Relevant MITRE ATT&CK techniques and tactics:

Software

Criteria:

(Command line contains petitpotam)

'PetitPotam' - Use of PepitPotam in command line may indicate a strong possibility of a malicious activity executed by attackers such as forced SMB authentication, NTLM relay attacks.

When to enable this rule:

Enabling this rule will help you meet the security standards' requirements listed below:

Security standards (NIST CSF 2.0):

DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events

When this rule is triggered, you're notified when the PetiPotam vulnerability is being leveraged within the network. This enables you to stop the runtime activity and prevent credential theft and other attacker goals.

PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected

When this rule is triggered, you're notified when the PetiPotam vulnerability is being leveraged within the network which could mean potential threat to remotely stored data. This enables you to increase access control, create data backup, and prevent data disruption.

Known false positives: The blue teams might use the tool to test the effectiveness of their defensive measures and incident response protocols.

Next steps:

When this alert is triggered, the following measures can be implemented:

  • Identification: Identify the alert as a new incident or within an ongoing incident.
  • Analysis: Analyze the impact and extent of the compromise to comprehend the severity of the attack.
  • Response: Respond promptly by initiating an automated workflow to cease the malicious process.
  • Implement Multi-factor Authentication(MFA): Implement MFA to provide an additional layer of security to the network resources and data.