This note documents detection patterns related to PetitPotam within Active Directory environments.

Direct Indicators

Log	Event ID	Meaning	Forensic Value	Notes
Security	4776	NTLM authentication	Critical	Machine account NTLM authentication triggered via EFSRPC coercion.
Security	4624	Successful logon	High	Logon events generated from coerced machine authentication.
Security	4769	Kerberos service ticket request	Medium	Service ticket requests following coerced authentication.
Security	5140	Network share accessed	Medium	SMB authentication events triggered by coercion.
Sysmon	3	Network connection	Critical	Outbound SMB or HTTP connection from coerced host to attacker-controlled system.
Sysmon	1	Process creation	Medium	Execution of PetitPotam or related coercion tools.

Indirect Indicators

Indicator	What To Look For	Forensic Value	Notes
Machine account authenticating unexpectedly	Computer account performing NTLM authentication to unusual host	Critical	Typical result of PetitPotam coercion.
Domain controller outbound authentication	DC initiating authentication to remote host	Critical	Highly suspicious behavior.
NTLM authentication followed by relay activity	Authentication used immediately for NTLM relay	High	Common attack chain.
Execution of coercion tools	Processes associated with PetitPotam exploitation	Critical	Direct evidence of attack activity.
SMB/HTTP connection to attacker host	Coerced machine connecting to unknown server	High	Indicates forced authentication attempt.

Common Tools

Tool	Usage
PetitPotam	Exploits MS-EFSRPC to coerce machine authentication.
ntlmrelayx	Relays coerced NTLM authentication to other services.
Coercer	Framework automating coercion attacks.
CrackMapExec	Used together with relay attacks.
Impacket	Provides relay and coercion capabilities.

Relevant Artifacts

Domain controller Security logs (4624, 4776, 4769)
SMB authentication logs
Network traffic logs showing outbound authentication
Sysmon logs (1, 3)
EDR telemetry identifying coercion tools
Prefetch artifacts for PetitPotam execution
NTLM relay logs
Authentication logs on relay targets

MITRE ATT&CK References

T1187 Forced Authentication
T1557 Adversary-in-the-Middle
T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay

Decision Tree

Is the suspicious event present?
- Identify machine account authentication events.
What host generated the event?
- Determine which server initiated authentication.
Is the authentication expected?
- Investigate whether system normally authenticates to destination.
Pivot:
- Source host → inspect execution of PetitPotam or coercion tools.
- Destination host → analyze relay attempts.
- Network → inspect SMB or HTTP authentication flows.
Confirm exploitation
- Determine whether coerced authentication was relayed to escalate privileges.

Example Detection Templates

KQL

SecurityEvent
| where EventID == 4776
| where TargetUserName endswith "$"

DeviceNetworkEvents
| where RemotePort in (445,80,443)
| summarize count() by RemoteIP, InitiatingProcessAccountName, bin(TimeGenerated,5m)

EQL

any where event.code == "4776"

Sigma

title: Suspicious Machine Account NTLM Authentication
id: petitpotam-coercion-detection
status: experimental
description: Detects machine account NTLM authentication which may indicate PetitPotam coercion
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID: 4776
  condition: selection
fields:
  - TargetUserName
  - Workstation
falsepositives:
  - Legitimate machine authentication
level: medium
tags:
  - attack.lateral_movement
  - attack.t1187

Mitigation & Hardening

Control Area	Mitigation	Effectiveness	Notes
NTLM restrictions	Disable or restrict NTLM authentication	Critical	Prevents relay abuse.
SMB signing	Require SMB signing across domain	High	Prevents NTLM relay attacks.
Patch management	Apply patches addressing EFSRPC abuse	High	Reduces exploitation opportunities.
Monitoring	Alert on machine account outbound authentication	High	Detects coercion attempts.
Network segmentation	Limit SMB/HTTP authentication flows	Medium	Reduces relay attack surface.