June 2, 2023

Microsoft has released mitigations for the new PetitPotam NTLM relay attack that allows taking over a domain controller or other Windows servers.

The new attack uses the Microsoft Encrypting File System Remote Protocol (EFSRPC) to force a device, including domain controllers, to authenticate to a remote NTLM relay controlled by a threat actor. Once succeeded threat actor can steal hash and certificates that can be used to assume the identity of the device and its privileges.

Microsoft published a security advisory with recommendations for organizations to defend against threat actors using the new technique on domain controllers.

PettiPotam or other relay attacks exposure have NTLM authentication enabled on the domain and are using Active Directory Certificate Services (AD CS) with Certificate Authority Web Enrollment or Certificate Enrollment Web Service. Disabling NTLM when not required is a recommendation comes from Microsoft and use SMB signing.

“PetitPotam takes advantage of servers where Active Directory Certificate Services (AD CS) is not configured with protections for NTLM Relay Attacks [as outlined in KB5005413]” – Microsoft

PetitPotam is about abusing the EfsRpcOpenFileRaw function of the MS-EFSRPC API to pass on authentication requests, leaving the door open for other attacks, this is a temporary mitigation of the attack but not a permanent solution. Microsoft has to release a security update to fix it

Leave a Reply

%d bloggers like this: