Skip to content

Hide Navigation Hide TOC

Potential PetitPotam Attack Via EFS RPC Calls (4096842a-8f9f-4d36-92b4-d0b2a62f9b2a)

Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam. The usage of this RPC function should be rare if ever used at all. Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate. View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..'

Cluster A Galaxy A Cluster B Galaxy B Level
LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e) Attack Pattern Potential PetitPotam Attack Via EFS RPC Calls (4096842a-8f9f-4d36-92b4-d0b2a62f9b2a) Sigma-Rules 1
Forced Authentication - T1187 (b77cf5f3-6060-475d-bd60-40ccbf28fdc2) Attack Pattern Potential PetitPotam Attack Via EFS RPC Calls (4096842a-8f9f-4d36-92b4-d0b2a62f9b2a) Sigma-Rules 1
Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e) Attack Pattern 2