Security researchers have come up with a way to block the recently revealed PetitPotam attack vector that allows hackers to easily take control of a Windows domain controller.
Last month, security researcher GILLES Lionel revealed a new method called PetitPotam that forces a Windows machine, including a Windows domain controller, to authenticate against a threat actor’s malicious NTLM relay server using Remote Protocol. Microsoft Encryption File System (EFSRPC).
The threat actors would then relay this authentication request to the Active Directory certificate services of a target domain via HTTP., Where the attacker would receive a Kerberos Ticket Granting Ticket (TGT), allowing them to take over the domain controller identity.
After the vector was revealed, the researchers quickly began testing the method and illustrated how easy it was to ditch the credentials and take over a Windows domain.
With this attack, a threat actor can take complete control over a Windows domain, including implementing new group policies, scripts, and deploying malware on all devices, such as ransomware.
Last week, Microsoft published a notice titled ‘Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS)‘which explains how to mitigate NTLM relay attacks.
“To prevent NTLM relay attacks on NTLM-enabled networks, domain administrators should ensure that services that allow NTLM authentication use protections such as Extended Protection for Authentication (EPA) or signature features like SMB signing, “explains Microsoft’s notice.
“PetitPotam takes advantage of servers where Active Directory Certificate Services (AD CS) is not configured with protections for NTLM relay attacks. The mitigations described in KB5005413* instruct customers on how to protect their AD CS servers from such attacks. “
While Microsoft’s suggestions can prevent NTLM relay attacks, they do not provide any guidance on blocking PetitPotam, which can be used as a vector for other attacks.
“It can also be used for different attacks such as NTLMv1 downgrade and machine account broadcast on computers where this machine account is a local administrator,” Lionel told Bleeping Computer when he first revealed the vector. Of attack.
Microsoft’s response to recent vulnerabilities, such as PetitPotam, SeriousSAM, and PrintNightmare, has been very concerning to security researchers who feel that Microsoft is not doing enough to protect its customers.
I would like to clarify my position on #Microsoft in general
Many things have improved in the last 10 years … a lot … especially with Windows 10/2016.
Today, many fellow security researchers that I respect very much work there.
I criticize Microsoft’s response to the recent ..
– Florian Roth (@ cyb3rops) August 1, 2021
Blocking PetitPotam attacks using NETSH filters
The good news is that researchers have discovered a way to block the unauthenticated remote attack vector PetitPotam using NETSH filters without affecting local EFS functionality.
NETSH is a Windows command line utility that allows administrators to configure network interfaces, add filters, and modify Windows firewall settings.
This weekend, Craig kirby shared a NETSH RPC filter that blocks remote access to the MS-EFSRPC API, effectively blocking the unauthenticated PetitPotam attack vector.
According to security researcher Benjamin Delpy, you can use this filter by copying the following content into a file called ‘block_efsr.txt’ and saving it to your desktop.
rpc filter add rule layer=um actiontype=block add condition field=if_uuid matchtype=equal data=c681d488-d850-11d0-8c52-00c04fd90f7e add filter add rule layer=um actiontype=block add condition field=if_uuid matchtype=equal data=df1941c5-fe89-4e79-bf10-463657acf44d add filter quit
Now open an elevated command prompt and type the following command to import the filter using NETSH.
netsh -f %userprofile%desktopblock_efsr.txt
You can verify that the filters have been added by running the following command:
netsh rpc filter show filter
After running the command, netsh should display two filters, one for c681d488-d850-11d0-8c52-00c04fd90f7e and one for df1941c5-fe89-4e79-bf10-463657acf44d, as shown below.
With these filters in place, the PetitPotam vector will no longer work, but EFS will continue to function normally on the device.
If Microsoft ever fixes the API to avoid this vector, you can remove the filters with the following command:
netsh rpc filter delete filter filterkey=[key]
The filter key can be found by displaying the list of filters configured as described above.