- Table of contents
The Cyberint Research Team work round the clock to unearth the latest threats to SMBs and enterprises. They are on top of the latest TTPs and monitor rising threat groups, malwares and trends.
Table of contents
PetitPotam – NTLM Relay Attack
Recently published by Lionel Gilles, an offensive security researcher based in France, ‘PetitPotam’ is a proof-of-concept (PoC) tool  used for NT LAN Manager (NTLM) relay attacks that, when executed properly, grants threat actors the ability to take over a Windows Active Directory (AD) domain, including domain controllers (DC), where Active Directory Certificate Services (ADCS) are used.
Similar to classic in-the-middle (ITM) or replay attacks, PetitPotam applies similar concepts to its relay attack:
- Interception of a conversation between at least two parties within the network.
- Inspecting and/or alter the information sent.
- Save captured data for later abuse.
Rather than exploiting a specific vulnerability, PetitPotam ‘abuses’ a method in the authentication process of the Microsoft Encrypting File System Remote Protocol (MS-EFSRPC), a legitimate feature used to perform maintenance and management operations on encrypted data stored remotely.
Having abused this method, the targeted Windows host is forced to authenticate against another arbitrary host, relaying NTLM credentials, allowing the acquisition of an authentication certificate that can be used to request a Ticket Granting Ticket (TGT) that can lead to domain compromise.
In this instance, the PoC relays authentication to a Certificate Services server and therefore those with Microsoft Active Directory Certificate Services (ADCS) deployed are potentially vulnerable.
Microsoft have provided several mitigation options, although no patch has been released to date, and, whilst there are no specific reports of this tool being used in the wild, threat actors and red teamers will undoubtedly add this method to their attack arsenals.
PetitPotam exploitation requires the threat actor to have access to a domain-connected user account within the target network, be that a malicious insider or compromised account.
Having acquired an account, the threat actor will most likely attempt to target a Domain Controller (DC) using the
EfsRpcOpenFileRaw method within the MS-EFSRPC API resulting in authentication information being relayed to another host via a Local Security Authority Remote Procedure Call (LSARPC) on TCP port 445.
Widely criticized in the past, NTLM is often known for being a somewhat easy target for relay attacks as a result of challenge-response design flaws.
In this instance, the proof-of-concept (PoC) relays NTLM credentials to an Active Directory Certificate Services (ADCS) host running either the Certificate Authority Web Enrolment or Certificate Enrolment Web Services, used for enrolling client authentication certificates, leading to the ability to gain escalated privileges and allowing an authentication certificate for targeted DC account to be acquired.
Having obtained this authentication certificate, the threat actor can then abuse the Kerberos protocol to gain access to the Active Directory (AD) domain subsequently allowing the privileged actions including:
- Management of domain accounts and groups, including privileged users such as administrators and/or service accounts as well as security and/or distribution groups.
- Management of group and security policy objects within the domain, including deployment to other hosts.
Additionally, the threat actor would gain the ability to delivery malicious payloads within the network, making this threat a valuable precursor to some larger attack as well as creating backdoor accounts.
The use of PetitPotam or derivative threats can potentially be detected by monitoring a Domain Controller’s (DC) Windows Security Log for Event ID 4768, a Ticket Granting Ticket (TGT) request, where the event indicates that a certificate was used for the request.
- Giving PetitPotam relies on an NTLM relay attack, organizations should consider implementing NTLM mitigations such as Extended Protection for Authentication (EPA) or SMB signing.
- Organizations should also follow the mitigation advice provided by Microsoft in KB5005413, specifically enabling EPA on Active Directory Certificate Services (ADCS) servers as well as requiring the use of SSL.
- Where the above mitigations are impractical, reports suggest that Network Shell (
netsh) filters can be configured to block remote procedure calls to the MS-EFSRPC API by matching universally unique identifiers (UUID) used in the initial stages of a PetitPotam attack.