Skip to content
  • Why Deepwatch?
    • Squad Delivery Model
    • Deepwatch SecOps Platform
    • Deepwatch Secure Score
    • Deepwatch Labs
  • Solutions
    • Managed Detection and Response (MDR)
      • MDR Enterprise
      • MDR Essentials
    • Managed Extended Detection Response (MXDR)
    • Endpoint Detection and Response (EDR)
    • Vulnerability Management (VM)
    • Firewall Management Solution
  • Company
    • About
    • Leadership
    • Careers
    • Contact
  • Partners
    • Channel Partners
    • Technology Alliance Partners
  • Resources
    • Resource Library
    • Blog
    • Case Studies
    • eBooks
    • Whitepapers
    • Datasheets
    • Video
    • Newsroom
    • Events
  • Search
  • Ready to Talk?
07.26.21

PetitPotam NTLM Relay Attack

By Deepwatch, 

Summary

A French security researcher, Gilles Lionel, discovered a new NTLM relay attack he has dubbed PetitPotam. Giles published a proof-of-concept (PoC) to his GitHub account on July 18th. Giles noted that the flaw works by forcing “Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw function.”

The attack “enables a domain controller (DC) to authenticate against a remote NTLM under a bad actor’s control using the MS-EFSRPC interface and share its authentication information. This is done by connecting to LSARPC, resulting in a scenario where the target server connects to an arbitrary server and performs NTLM authentication.”

Affected Versions

  • Windows servers with NTLM enabled and using Active Directory Certificate Services (AD CS) with the following services:
    • Certificate Authority Web Enrollment, or
    • Certificate Enrollment Web Service

Impact

Successful exploitation gives an attacker an authentication certificate that can be used to access domain services as a DC and the potential to compromise the entire domain.

Workarounds

To mitigate this attack, Microsoft released KB5005413 on July 23rd. Microsoft states that the preferred mitigation measure is to “disable NTLM authentication on your Windows domain controller as the simplest mitigation. This can be accomplished by following the documentation in Network security: Restrict NTLM: NTLM authentication in this domain.”

Microsoft also provided additional mitigations if you are unable to disable NTLM for compatibility reasons. They are listed in order of more secure to less secure:

  • Disable NTLM on any AD CS Servers in your domain using the group policy Network security: Restrict NTLM: Incoming NTLM traffic.
  • Disable NTLM for Internet Information Services (IIS) on AD CS Servers in your domain running the “Certificate Authority Web Enrollment” or “Certificate Enrollment Web Service” services.

To see implementation details for either of these workarounds, Deepwatch recommends referring to Microsoft’s guidance provided by KB5005413.

Supporting Information

  • https://twitter.com/topotam77/status/1416833996923809793?s=20
  • https://github.com/topotam/PetitPotam
  • https://msrc.microsoft.com/update-guide/vulnerability/ADV210003
  • https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429
  • https://thehackernews.com/2021/07/new-petitpotam-ntlm-relay-attack-lets.html
  • https://docs.microsoft.com/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain

Learn more about Deepwatch Managed Detection and Response here.

Subscribe to the Deepwatch Insights Blog

Post navigation

Previous post

Significant Cyber Event | CVE-2021-36934 – SeriousSAM Microsoft Windows 10 Vulnerability

Next post

Significant Cyber Event | Microsoft Exchange Servers are being Actively Scanned for ProxyShell

Deepwatch

DENVER
OFFICE & SOC

7800 East Union Avenue
Suite 900
Denver, CO 80237 USA
855.303.3033

TAMPA
OFFICE & SOC

4030 W Boy Scout Blvd.
Suite 550
Tampa, FL 33607 USA
855.303.3033

[email protected]

Why Deepwatch

  • Squad Delivery Model
  • Deepwatch SecOps Platform
  • Deepwatch Secure Score
  • Deepwatch Labs

Solutions

  • Managed Detection and Response (MDR)
  • MDR Essentials
  • MDR Enterprise
  • Managed Extended Detection Response (MXDR)
  • Endpoint Detection and Response (EDR)
  • Vulnerability Management (VM)
  • Firewall Management Solution

Company

  • About Us
  • Leadership
  • Careers
  • Contact

Resources

  • Resource Library
  • Insights Blog
  • News
  • Events

Partners

  • Channel Partners
  • Technology Alliance Partners

Contact

  • Let's Talk
  • Customer Login
  • Partner Login
GDPR Badge PCI Badge SOC2 Badge TRUSTe
LinkedIn Twitter YouTube YouTube

© Copyright 2023 Deepwatch incorporated

Trust | Sitemap | Privacy Policy