Microsoft presents an optimal defense against the NTLM Windows Server relay attack by PetitPotam
Last week, information about PetitPotam was published on GitHub by French cybersecurity researcher Gilles Lionel. Lionel discovered that, thanks to a tool he had created, it was possible “to force Windows hosts to authenticate to other machines via the MS-EFSRPC EfsRpcOpenFileRaw function”. Simply put, an attacker could use the program to extract credentials and NTLM certificates from a remote Windows server and then take over.
Finally finished testing it, it’s pretty brutal! Network access to full AD support … I really underestimated the impact of NTLM relay on PKI # ESC8 ð±The combo with PetitPotam is awesome!
Everything is already published to use it quickly … https://t.co/NVe6QJFrx6 pic.twitter.com/q55OyC7dME– Rémi Escourrou (@remiescourrou) July 22, 2021
In a recent safety notice, Microsoft explains that âPetitPotam is a classic NTLM relay attack, and such attacks have already been documented by Microsoft with many mitigation options to protect customers. These mitigation tactics include disabling NTLM on all Active Directory Certificate Services (AD CS) servers through Group Policy and disabling NTLM for Internet Information Services (IIS) on AD CS servers in the domain. This can be done by following the Microsoft tutorial provided in the advisory.
As it stands, PetitPotam has not been found in the wild, but that could change quite quickly as news of the attack vector spreads. Other web security researchers have commented on how bad this vulnerability is for security, which should be taken as a warning. Hopefully a suitable fix will be released before this takes off, so stay tuned for HotHardware for updates.