New PetitPotam attack allows take over of Windows domains

guest · Jul 23, 2021

New PetitPotam attack allows take over of Windows domains
July 23, 2021
https://www.bleepingcomputer.com/ne...m-attack-allows-take-over-of-windows-domains/

A new NTLM relay attack called PetitPotam has been discovered that allows threat actors to take over a domain controller, and thus an entire Windows domain.

Many organizations utilize Microsoft Active Directory Certificate Services, which is a public key infrastructure (PKI) server that can be used to authenticate users, services, and machines on a Windows domain.
In the past, researchers discovered a method to force a domain controller to authenticate against a malicious NTLM relay that would then forward the request to a domain's Active Directory Certificate Services via HTTP.
Click to expand...

Introducing PetitPotam
This week, French security researcher GILLES Lionel, aka Topotam, disclosed a new technique called 'PetitPotam' that performs an NTLM relay attack that does not rely on the MS-RPRN API but instead uses the EfsRpcOpenFileRaw function of the MS-EFSRPC API.

MS-EFSRPC is Microsoft's Encrypting File System Remote Protocol that is used to perform "maintenance and management operations on encrypted data that is stored remotely and accessed over a network."

Lionel has released a proof-of-concept script for the PetitPotam technique on GitHub that can be used to force a domain controller to authenticate against a remote NTLM under an attacker's control using the MS-EFSRPC API.
Click to expand...

PetitPotam is 'brutal'
Since the release of PetitPotam, security researchers have been quick to test the PoC and its effectiveness.

"Finally finished testing it, it's quite brutal! Network access to full AD takeover... I really underestimated the impact of NTLM relay on PKI ESC8 The combo with PetitPotam is awesome!," tweeted security researcher Rémi Escourrou.

"Actually, no way to block PetitPotam (to my current knowledge) but you can harden the HTTP service of the PKI to avoid the NTLM relay," Escourrou told BleepingComputer in a conversation last night.
Click to expand...

guest · Jul 24, 2021

Microsoft shares mitigations for new PetitPotam NTML relay attack
July 24, 2021
https://www.bleepingcomputer.com/ne...gations-for-new-petitpotam-ntml-relay-attack/

Microsoft has released mitigations for the new PetitPotam NTLM relay attack that allows taking over a domain controller or other Windows servers.

PetitPotam is a new method that can be used to conduct an NTLM relay attack discovered by French security researcher Gilles Lionel (Topotam). This method was disclosed this week along with a proof-of-concept (PoC) script.
The new attack uses the Microsoft Encrypting File System Remote Protocol (EFSRPC) to force a device, including domain controllers, to authenticate to a remote NTLM relay controlled by a threat actor.
Click to expand...

Mitigation limited to Domain Controllers
After news of the PetitPotam NTLM relay attack broke yesterday, Microsoft published a security advisory with recommendations for organizations to defend against threat actors using the new technique on domain controllers.

In a tweet earlier today, Microsoft recommends disabling NTLM where it is not necessary, e.g. Domain Controllers, or to enable the Extended Protection for Authentication mechanism to protect credentials on Windows machines.
The company also recommends on networks with NTLM enabled that services allowing NTLM authentication to use signing features such as SMB signing that’s been available since Windows 98.

“PetitPotam takes advantage of servers where Active Directory Certificate Services (AD CS) is not configured with protections for NTLM Relay Attacks [as outlined in KB5005413]” - Microsoft
Click to expand...

Microsoft”s advisory is clear about the action to prevent NTLM relay attacks but does not address the abuse of the MS-EFSRPC API, which would need a security update to fix.
Benjamin Delpy expressed criticism at the way Microsoft decided to mitigate PetitPotam, highlighting that the EFSRPC protocol is not even mentioned in the advisory.
Click to expand...

guest · Jul 26, 2021

Enterprises Warned of New PetitPotam Attack Exposing Windows Domains
July 26, 2021
https://www.securityweek.com/enterprises-warned-new-petitpotam-attack-exposing-windows-domains

The technique was disclosed last week after France-based security researcher Lionel Gilles (aka Topotam) posted a proof-of-concept (PoC) exploitation tool named PetitPotam on GitHub.

PetitPotam can be chained with an exploit targeting Active Directory Certificate Services (AD CS), which provides public key infrastructure (PKI) functionality.

“An attacker can target a Domain Controller to send its credentials by using the MS-EFSRPC protocol and then relaying the DC [domain controller] NTLM credentials to the Active Directory Certificate Services AD CS Web Enrollment pages to enroll a DC certificate,” cybersecurity firm Truesec explained in a blog post.
The SANS Institute’s Internet Storm Center has published a step-by-step description of the attack.
Click to expand...

However, some members of the cybersecurity industry are not happy with Microsoft’s response.

SANS’s Bojan Zdrnjan noted, “What [Microsoft’s advisory] missed is the fact that the PetitPotam vulnerability ... is a completely separate issue — it allows an attacker to provoke a server to authenticate to an arbitrary machine. Abusing AD CS is just one way to use this — any service that allows NTLM authentication can probably be abused similarly (Print Spooler could be a candidate).”
Click to expand...

waking · Jul 26, 2021

Windows “PetitPotam” network attack – how to protect against it

https://nakedsecurity.sophos.com/2021/07/26/windows-petitpotam-network-attack-how-to-protect-against-it/

EASTER · Jul 26, 2021

waking said: ↑

Windows “PetitPotam” network attack – how to protect against it

https://nakedsecurity.sophos.com/2021/07/26/windows-petitpotam-network-attack-how-to-protect-against-it/
Click to expand...

Thank You for your post. Informative and spot on.

guest · Aug 2, 2021

Windows PetitPotam attacks can be blocked using new method
August 2, 2021
https://www.bleepingcomputer.com/ne...otam-attacks-can-be-blocked-using-new-method/

Security researchers have devised a way to block the recently disclosed PetitPotam attack vector that allows hackers to take control of a Windows domain controller easily.

Last month, security researcher GILLES Lionel disclosed a new method called PetitPotam that forces a Windows machine, including a Windows domain controller, to authenticate against a threat actor's malicious NTLM relay server using the Microsoft Encrypting File System Remote Protocol (EFSRPC).
While Microsoft's suggestions may prevent NTLM relay attacks, they do not provide any guidance on blocking PetitPotam, which can be used as a vector for other attacks.
Click to expand...

Blocking PetitPotam attacks using NETSH filters
The good news is that researchers have figured out a way to block the remote unauthenticated PetitPotam attack vector using NETSH filters without affecting local EFS functionality.
NETSH is a Windows command-line utility that allows administrators to configure network interfaces, add filters, and modify the Windows firewall configuration.
Click to expand...

EASTER · Aug 2, 2021

Very interesting discovery using the NETSH filter function to block it.

guest · Aug 6, 2021

Windows PetitPotam vulnerability gets an unofficial free patch
August 6, 2021
https://www.bleepingcomputer.com/ne...-vulnerability-gets-an-unofficial-free-patch/

A free unofficial patch is now available to block attackers from taking over domain controllers and compromising entire Windows domains via PetitPotam NTLM relay attacks.

While Microsoft's advisory is designed to help prevent NTLM relay attacks, it does not provide any guidance on how to actually block PetitPotam, which could also be used as a vector for other attacks such as NTLMv1 downgrades.
Free PetitPotam micropatch available
The 0patch micropatching service has released today a free unofficial patch that can be used to block PetitPotam NTLM relay attacks on the following Windows version: [...]

"Micropatches for this vulnerability are, as always, automatically downloaded and applied to all affected computers (unless your policy prevents that), and will be free until Microsoft has issued an official fix," 0patch co-founder Mitja Kolsek said.
Click to expand...

guest · Aug 10, 2021

Microsoft Windows Active Directory Certificate Services can allow for AD compromise via PetitPotam NTLM relay attacks
Vulnerability Note VU#405600
August 2, 2021 (Updated: August 4, 2021)
https://kb.cert.org/vuls/id/405600

Overview
Microsoft Windows Active Directory Certificate Services (AD CS) by default can be used as a target for NTLM relay attacks, which can allow a domain-joined computer to take over the entire Active Directory.
Description
PetitPotam is a tool to force Windows hosts to authenticate to other machines by using the Encrypting File System Remote (EFSRPC) EfsRpcOpenFileRaw method.
[...] Although Microsoft refers to this entire attack chain as "PetitPotam" in KB5005413, it is important to realize that PetitPotam is simply the single PoC exploit used to invoke an NTLM authentication request by way of a EfsRpcOpenFileRaw request.
Click to expand...

Impact
By making a crafted RPC request to a vulnerable Windows system, a remote attacker may be able to leverage the NTLM authentication information that is included in the request that is generated. In the case of AD CS, this can allow an attacker on any domain-joined system to be able to compromise the Active Directory.
Solution
The CERT/CC is currently unaware of a practical solution to this problem. Please see KB5005413 for several workarounds.
Click to expand...

guest · Aug 10, 2021

Windows security update blocks PetitPotam NTLM relay attacks
August 10, 2021
https://www.bleepingcomputer.com/ne...-update-blocks-petitpotam-ntlm-relay-attacks/

Microsoft has released security updates that block the PetitPotam NTLM relay attack that allows a threat actor to take over a Windows domain.
Microsoft blocks the PetitPotam vector
As part of the August 2021 Patch Tuesday updates, Microsoft has released a security update that blocks the PetitPotam vector (CVE-2021-36942), so it cannot force a domain controller to authenticate against another server.:

"An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate against another server using NTLM," explains Microsoft in the CVE-2021-36942 advisory.
"This security update blocks the affected API calls OpenEncryptedFileRawA and OpenEncryptedFileRawW through LSARPC interface."
Click to expand...

Microsoft warns that installing this update may affect backup software that utilizes the EFS API OpenEncryptedFileRaw(A/W) function.

"The EFS API OpenEncryptedFileRaw(A/W), often used in backup software, continues to work in all versions of Windows (local and remote), except when backing up to or from a system running Windows Server 2008 SP2. OpenEncryptedFileRaw will no longer work on Windows Server 2008 SP2," warns Microsoft.
Click to expand...

guest · Aug 19, 2021

mood said: ↑

Windows PetitPotam vulnerability gets an unofficial free patch
August 6, 2021
https://www.bleepingcomputer.com/ne...-vulnerability-gets-an-unofficial-free-patch/
Click to expand...

New unofficial Windows patch fixes more PetitPotam attack vectors
August 19, 2021
https://www.bleepingcomputer.com/ne...s-patch-fixes-more-petitpotam-attack-vectors/

A second unofficial patch for the Windows PetitPotam NTLM relay attack has been released to fix further issues not addressed by Microsoft's official security update.
Unfortunately, Microsoft's update is incomplete, and it is still possible to abuse PetitPotam.

To provide a more complete patch, the 0patch micropatching service has released an updated unofficial patch that can be used to block all known PetitPotam NTLM relay attacks [...]

"What we did was patch just one function that is called from all these and is responsible for sending System's credentials to attacker's endpoint," 0patch cofounder Mitja Kolsek told BleepingComputer.
"As with our previous patch, we enclosed this function in an impersonation block, resulting in attacker only getting their own credentials back instead of System's."
Click to expand...

guest · Aug 20, 2021

LockFile ransomware uses PetitPotam attack to hijack Windows domains
August 20, 2021
https://www.bleepingcomputer.com/ne...-petitpotam-attack-to-hijack-windows-domains/

At least one ransomware threat actor has started to leverage the recently discovered PetitPotam NTLM relay attack method to take over the Windows domain on various networks worldwide.

Behind the attacks appears to be a new ransomware gang called LockFile that was first seen in July, which shows some resemblance and references to other groups in the business.
Click to expand...

Exploiting PetitPotam for DC access
LockFile attacks have been recorded mostly in the U.S. and Asia, its victims including organizations in the following sectors: financial services, manufacturing, engineering, legal, business services, travel, and tourism.
Security researchers at Symantec, a division of Broadcom, said that the actor’s initial access on the network is through Microsoft Exchange servers but the exact method remains unknown at the moment.

Next, the attacker takes over the organization’s domain controller by leveraging the new PetitPotam method, which forces authentication to a remote NTLM relay under LockFile’s control.
Click to expand...

The researchers say that when compromising the victim’s Exchange server, the attacker runs a PowerShell command that downloads a file from a remote location.

In the last stage of the attack, 20 to 30 minutes before deploying the ransomware, the threat actor proceeds to take over the domain controller by installing on the compromised Exchange server the PetitPotam exploit and two files: [...]
The final step is to copy the LockFile ransomware payload on the local domain controller and push it across the network with the help of a script and executables that run on client hosts immediately after authentication to the server.
Click to expand...

Symantec: LockFile: Ransomware Uses PetitPotam Exploit to Compromise Windows Domain Controllers

Dragon1952 · Aug 31, 2021

LockFile ransomware’s box of tricks: intermittent encryption and evasion https://news.sophos.com/en-us/2021/08/27/lockfile-ransomwares-box-of-tricks-intermittent-encryption-and-evasion/…

Log in or Sign up

New PetitPotam attack allows take over of Windows domains

guest Guest

guest Guest

guest Guest

waking Registered Member

EASTER Registered Member

guest Guest

EASTER Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Dragon1952 Registered Member

Log in or Sign up

New PetitPotam attack allows take over of Windows domains

guest Guest

guest Guest

guest Guest

waking Registered Member

EASTER Registered Member

guest Guest

EASTER Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Dragon1952 Registered Member

Useful Searches