Petitpotam Network Share Access Request

Petitpotam Network Share Access Request


The following analytic utilizes Windows Event Code 5145, "A network share object was checked to see whether client can be granted desired access". During our research into PetitPotam, CVE-2021-36942, we identified the ocurrence of this event on the target host with specific values. \ To enable 5145 events via Group Policy - Computer Configuration->Polices->Windows Settings->Security Settings->Advanced Audit Policy Configuration. Expand this node, go to Object Access (Audit Polices->Object Access), then select the Setting Audit Detailed File Share Audit \ It is possible this is not enabled by default and may need to be reviewed and enabled. \ During triage, review parallel security events to identify further suspicious activity.


Petitpotam Network Share Access Request Help

Windows Event Code 5145 is required to utilize this analytic and it may not be enabled in most environments.


Open in Search