Microsoft shares mitigations for new PetitPotam NTML relay attack

Microsoft has released mitigations for the new PetitPotam NTLM relay attack that allows taking over a domain controller or other Windows servers.

PetitPotam is a new method that can be used to conduct an NTLM relay attack discovered by French security researcher Gilles Lionel (Topotam). This method was disclosed this week along with a proof-of-concept (PoC) script.

The new attack uses the Microsoft Encrypting File System Remote Protocol (EFSRPC) to force a device, including domain controllers, to authenticate to a remote NTLM relay controlled by a threat actor.

Once a device authenticates to a malicious NTLM server, a threat actor can steal hash and certificates that can be used to assume the identity of the device and its privileges.

Mitigation limited to Domain Controllers

After news of the PetitPotam NTLM relay attack broke yesterday, Microsoft published a security advisory with recommendations for organizations to defend against threat actors using the new technique on domain controllers.

The company says that organizations exposed to PetitPotam, or other relay attacks, have NTLM authentication enabled on the domain and are using Active Directory Certificate Services (AD CS) with Certificate Authority Web Enrollment or Certificate Enrollment Web Service.

In a tweet earlier today, Microsoft recommends disabling NTLM where it is not necessary, e.g. Domain Controllers, or to enable the Extended Protection for Authentication mechanism to protect credentials on Windows machines.

Microsoft advisory on PetitPotam NTLM relay attack
source: Microsoft

The company also recommends on networks with NTLM enabled that services allowing NTLM authentication to use signing features such as SMB signing that’s been available since Windows 98.

“PetitPotam takes advantage of servers where Active Directory Certificate Services (AD CS) is not configured with protections for NTLM Relay Attacks [as outlined in KB5005413]” - Microsoft

However, PetitPotam is about abusing the EfsRpcOpenFileRaw function of the MS-EFSRPC API to pass on authentication requests, leaving the door open for other attacks.

Microsoft's advisory is clear about the action to prevent NTLM relay attacks but does not address the abuse of the MS-EFSRPC API, which would need a security update to fix.

Gilles Lionel told BleepingComputer that PetitPotam allows other atacks, such as a downgrading attack to NTLMv1 that uses the Data Encryption Standard (DES) - an insecure algorithm due to its short, 56-bit key generation that makes it easy to recover a password hash.

One example, Gilles Lionel told BleepingComputer, is a downgrading attack to NTLMv1 that uses the Data Encryption Standard (DES) - an insecure algorithm due to its short, 56-bit key generation that makes it easy to recover a password hash.

An attacker can then use the account on machines where it has local admin privileges. Lionel says that Exchange and Microsoft System Center Configuration Manager (SCCM) servers are a common scenario.

Benjamin Delpy expressed criticism at the way Microsoft decided to mitigate PetitPotam, highlighting that the EFSRPC protocol is not even mentioned in the advisory.

PetitPotam affects Windows Server 2008 through 2019. Microsoft’s advisory notes that the technique has not been exploited in the wild yet but has no assessment about the exploitability level.

Related Articles:

Windows KB5035849 update failing to install with 0xd000034 errors

Windows Kernel bug fixed last month exploited as zero-day since August

Windows 10 KB5035941 update released with lock screen widgets

Microsoft releases emergency fix for Windows Server crashes

New Windows Server updates cause domain controller crashes, reboots