A new type of NTLM relay attack dubbed PetiPotam poses a threat to Windows systems’ security. According to researchers, this attack is different in that it exploits the Encrypting File System Remote Protocol. Ultimately, and ultimately leads to taking over Windows domains.
PetiPotam NTLM Relay Attacks
A security researcher, GILLES Lionel (with the alias Topotam), has recently disclosed a new NTLM relay attack, dubbed PetiPotam. This attack exploits Microsoft’s Encrypting File System Remote Protocol (MS-EFSRPC) enabled by default on Windows servers and workstations.
Describing this function in a separate document, Microsoft states,
Specifies the Encrypting File System Remote (EFSRPC) Protocol, which performs maintenance and management operations on encrypted data that is stored remotely and accessed over a network.
The PetiPotam attack requires no authentication for execution against Active Directory Certificate Services (AD CS).
The researcher has also released a PoC exploit on GitHub.
While this isn’t the first NTLM relay attack, it’s different in the function it exploits. The previously discovered attack method exploited Windows MS-RPRN printing API. However, what’s similar in both attacks is that the exploited services come enabled by default.
Although, after the discovery of the first attack, many organizations disabled MS-RPRN as mitigation. But the new attack method has emerged as a threat again.
Microsoft Advises Mitigations
Following the discovery of the PetiPotam attack, Microsoft issued a detailed advisory for mitigations.
The tech giant explained that executing this attack requires the adversary to have the domain credentials of the target network.
Besides, for mitigations, Microsoft advised disabling NTLM when not required. Although, doing so risks breaking environments.
Moreover, Microsoft has recommended domain admins to protect the services that permit NTLM authentication by Extended Protection for Authentication (EPA) or signing features such as SMB. According to the tech giant,
PetitPotam takes advantage of servers where Active Directory Certificate Services (AD CS) is not configured with protections for NTLM Relay Attacks.
Though, it hasn’t shared anything about possible patches from its end yet.
Let us know your thoughts in the comments.