Microsoft has released mitigations for the new PetitPotam NTLM relay attack that allows taking over a domain controller or other Windows servers.
PetitPotam is a new method that can be used to perform an NTLM relay attack discovered by French security researcher Gilles Lionel (Topotam). This method was released this week in conjunction with a proof-of-concept (PoC) script.
The new attack uses Microsoft’s remote encryption file system protocol (EFSRPC) to force a device, including domain controllers, to authenticate to a remote NTLM relay controlled by a threat actor.
Once a device authenticates to a malicious NTLM server, a threat actor can steal hashes and certificates that can be used to assume the identity of the device and its privileges.
Mitigation limited to domain controllers
After news broke of the PetitPotam NTLM relay attack yesterday, Microsoft released a security advisory with recommendations for organizations to defend themselves against threat actors using the new technique on domain controllers.
The company says that organizations exposed to PetitPotam, or other relay attacks, have NTLM authentication enabled on the domain and are using Active Directory Certificate Services (AD CS) with certificate authority or service web enrollment. certificate enrollment website.
in a cheep Today, Microsoft recommends disabling NTLM where it is not needed, for example domain controllers, or to enable the Extended protection for authentication mechanism to protect credentials on Windows machines.
The company also recommends on NTLM-enabled networks that services that allow NTLM authentication use signing features such as SMB signing that have been available since Windows 98.
However, PetitPotam tries to abuse the EfsRpcOpenFileRaw function of the MS-EFSRPC API to pass authentication requests, leaving the door open for other attacks.
Microsoft’s advisory is clear on action to prevent NTLM relay attacks, but it does not address abuse of the MS-EFSRPC API, which would need a security update to fix.
Gilles Lionel told BleepingComputer that PetitPotam allows other attacks, such as a downgrade attack on NTLMv1 that uses the Data Encryption Standard (DES), an insecure algorithm due to its 56-bit short key generation that makes it easy to recover from a password hash.
One example, Gilles Lionel told Bleeping Computer, is a downgrade attack on NTLMv1 that uses the Data Encryption Standard (DES), an insecure algorithm due to its short 56-bit key generation that makes it easy to retrieve a hash of password.
An attacker can use the account on machines where he has local administrator privileges. Lionel says that Exchange and Microsoft System Center Configuration Manager (SCCM) servers are a common scenario.
PetitPotam affects Windows Server 2008 through 2019. Microsoft’s advisory notes that the technique is yet to be exploited in the wild, but it does not have an assessment on the level of exploitability.