A new type of NTLM relay attack dubbed PetiPotam poses a threat to Windows systems’ security. According to researchers, this attack is different in that it exploits the Encrypting File System Remote Protocol. Ultimately, and ultimately leads to taking over Windows domains.
PetiPotam NTLM Relay Attacks
A security researcher, GILLES Lionel (with the alias Topotam), has recently disclosed a new NTLM relay attack, dubbed PetiPotam. This attack exploits Microsoft’s Encrypting File System Remote Protocol (MS-EFSRPC) enabled by default on Windows servers and workstations.
MS-RPRN to coerce machine authentication is great but the service is often disabled nowadays by admins on most orgz.
Here is one another way we use to elicit machine account auth via MS-EFSRPC. Enjoy!! 🙂https://t.co/AGiS4f6yt8
— topotam (@topotam77) July 18, 2021
Describing this function in a separate document, Microsoft states,
Specifies the Encrypting File System Remote (EFSRPC) Protocol, which performs maintenance and management operations on encrypted data that is stored remotely and accessed over a network.
The PetiPotam attack requires no authentication for execution against Active Directory Certificate Services (AD CS).
The researcher has also released a PoC exploit on GitHub.
While this isn’t the first NTLM relay attack, it’s different in the function it exploits. The previously discovered attack method exploited Windows MS-RPRN printing API. However, what’s similar in both attacks is that the exploited services come enabled by default.
Although, after the discovery of the first attack, many organizations disabled MS-RPRN as mitigation. But the new attack method has emerged as a threat again.
Microsoft Advises Mitigations
Following the discovery of the PetiPotam attack, Microsoft issued a detailed advisory for mitigations.
The tech giant explained that executing this attack requires the adversary to have the domain credentials of the target network.
Besides, for mitigations, Microsoft advised disabling NTLM when not required. Although, doing so risks breaking environments.
Please revise the advisory to indicate risk of breaking environments by disabling NTLM, and add guidance on the policies to enable NTLM auditing first
Guaranteed there will be customers that follow your guidance to disable NTLM via that policy and break their environment…
— Nathan McNulty (@NathanMcNulty) July 24, 2021
Moreover, Microsoft has recommended domain admins to protect the services that permit NTLM authentication by Extended Protection for Authentication (EPA) or signing features such as SMB. According to the tech giant,
PetitPotam takes advantage of servers where Active Directory Certificate Services (AD CS) is not configured with protections for NTLM Relay Attacks.
Though, it hasn’t shared anything about possible patches from its end yet.
Let us know your thoughts in the comments.