PetitPotam vulnerability

[Adam Ro]

Hi all,

Would it be possible to create a rule/alert for the petitpotam vuln?

Specifically in windows logs for event it 5145 where user is ANONYMOUS LOGON ?

Cheers

Adam

[Christian Borla]

Hi Adam.

I hope you are doing fine.

I'm not sure about how we can reproduce this vulnerability, but I can help you to create a rule for trigger that case.

It will be good to know the format type of event 5145 when it arrives to the manager, to create a decoder if it's necessary.

Event 5145 (A network share object was checked to see whether client can be granted desired access)

If event 5145 was generated in a agent endpoint, it should be sent to the manager and you will find it into /var/ossec/logs/archives/archives.log manager side, if archives file doesn't exist, double check Manager ossec.conf include log all options as following configuration.

<ossec_config>

<global>

<alerts_log>yes</alerts_log>

<logall>yes</logall>

</global> 

Another issue could be:

  <localfile>

    <location>Security</location>

    <log_format>eventchannel</log_format>

    <query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and

      EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and

      EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and

      EventID != 5152 and EventID != 5157]</query>

  </localfile>

If you find above lines in ossec.conf file into Agent side, remove EventID != 5145 from that list.

Link: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html?highlight=query%20event#query

Ones you find a 5145 Windows event into /var/ossec/logs/archives/archives.log, we will able to create a rule for it.

Next an example:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

- <System>

 <ProviderName="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 

 <EventID>5145</EventID> 

 <Version>0</Version> 

 <Level>0</Level> 

 <Task>12811</Task> 

 <Opcode>0</Opcode> 

 <Keywords>0x8020000000000000</Keywords> 

 <TimeCreated SystemTime="2015-09-17T23:54:48.941761700Z" /> 

 <EventRecordID>267092</EventRecordID> 

 <Correlation /> 

 <ExecutionProcessID="516" ThreadID="524" /> 

 <Channel>Security</Channel> 

 <Computer>DC01.contoso.local</Computer> 

 <Security /> 

 </System>

- <EventData>

 <DataName="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 

 <DataName="SubjectUserName">dadmin</Data> 

 <DataName="SubjectDomainName">CONTOSO</Data> 

 <DataName="SubjectLogonId">0x38d34</Data> 

 <DataName="ObjectType">File</Data> 

 <DataName="IpAddress">fe80::31ea:6c3c:f40d:1973</Data> 

 <DataName="IpPort">56926</Data> 

 <DataName="ShareName">\\\\\*\\Documents</Data> 

 <DataName="ShareLocalPath">\\??\\C:\\Documents</Data> 

 <DataName="RelativeTargetName">Bginfo.exe</Data> 

 <DataName="AccessMask">0x100081</Data> 

 <DataName="AccessList">%%1541 %%4416 %%4423</Data> 

 <DataName="AccessReason">%%1541: %%1801 D:(A;;FA;;;WD) %%4416: %%1801 D:(A;;FA;;;WD) %%4423: %%1801 D:(A;;FA;;;WD)</Data> 

 </EventData>

 </Event>

Event 5145:  Link: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145

And a example rule could be: 

Existing father rule:

  <rule id="60001" level="0">

    <if_sid>60000</if_sid>

    <field name="win.system.channel">^Security$</field>

    <options>no_full_log</options>

    <description>Group of Windows rules for the Security channel</description>

  </rule>

New custom rule for event 5145

  <rule id="100002" level="5">

    <if_sid>60001</if_sid>

    <field name="win.system.EventID">^5145$</field>

    <options>no_full_log</options>

    <description>A network share object was checked to see whether client can be granted desired access</description>

  </rule>

       New custom rule for event 5145  where user is empty

  <rule id="100003" level="12">

    <if_sid>100002</if_sid>

    <field name="win.eventdata.subjectusername">^$</field>

    <options>no_full_log</options>

    <description>Event 5145 with empty user</description>

  </rule>

 

       New custom rule for event 5145  where user is  ANONYMOUS LOGON

        <rule id="100004" level="12">

           <if_sid>100002</if_sid>

           <field name="win.eventdata.subjectusername">^ANONYMOUS LOGON$</field>

           <options>no_full_log</options>

          <description>Petitpotam vulnerability</description>

       </rule>

  Last rule will trigger when win.EventData.SubjectUserName field is ANONYMOUS LOGON and previous when it's empty . I used win.eventdata.subjectusername from my sample but I'm not sure about that field, it will be useful to have a real sample event 5145 to figure out.

  I hope it will be useful, let me know how it goes.

  Regards.