{
	"id": "dec357f8-a22a-4556-b95c-9b4b727f35f7",
	"created_at": "2026-04-06T03:36:23.355075Z",
	"updated_at": "2026-04-10T13:12:04.014422Z",
	"deleted_at": null,
	"sha1_hash": "9984921ce10ab5c879dccdc5bc8ac15c1d40587a",
	"title": "GitHub - topotam/PetitPotam: PoC tool to coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw or other functions.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 469269,
	"plain_text": "GitHub - topotam/PetitPotam: PoC tool to coerce Windows hosts\r\nto authenticate to other machines via MS-EFSRPC\r\nEfsRpcOpenFileRaw or other functions.\r\nBy topotam\r\nArchived: 2026-04-06 03:34:48 UTC\r\nPoC tool to coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw or\r\nother functions :)\r\nThe tools use the LSARPC named pipe with inteface c681d488-d850-11d0-8c52-00c04fd90f7e because it's more\r\nprevalent. But it's possible to trigger with the EFSRPC named pipe and interface df1941c5-fe89-4e79-bf10-\r\n463657acf44d. It doesn't need credentials against Domain Controller :D\r\nDisabling the EFS service seems not to mitigate the \"feature\"\r\nThe Python one require Impacket to be installed, the Windows PoC was done on VS 2019 Community. If\r\ncompilation problem, remember to add Rpcrt4.lib in the linker. Compile in x86.\r\nInspired by the previous work on MS-RPRN from @tifkin_ \u0026 @elad_shamir and others SpecterOps guys.\r\nIncomplete patch from Microsoft :) https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942\r\nMS-EFSRPC - Encrypting File System Remote (EFSRPC) Protocol https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/08796ba8-01c8-4872-9221-1000ec2eff31\r\nhttps://github.com/topotam/PetitPotam\r\nPage 1 of 2\n\nSource: https://github.com/topotam/PetitPotam\r\nhttps://github.com/topotam/PetitPotam\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://github.com/topotam/PetitPotam"
	],
	"report_names": [
		"PetitPotam"
	],
	"threat_actors": [],
	"ts_created_at": 1775446583,
	"ts_updated_at": 1775826724,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9984921ce10ab5c879dccdc5bc8ac15c1d40587a.pdf",
		"text": "https://archive.orkl.eu/9984921ce10ab5c879dccdc5bc8ac15c1d40587a.txt",
		"img": "https://archive.orkl.eu/9984921ce10ab5c879dccdc5bc8ac15c1d40587a.jpg"
	}
}