Threat Response: PetitPotam NTLM Relay Attack
Last Friday, July 23, 2021, information about a new type of NTLM-relay attack has been published. The attack goes by the name of ‘PetitPotam’. This attack allows an attacker who has access to the network to manipulate authentications within the domain. This can eventually lead to privilege escalation within the domain environment. We inform you via this message about what the threat entails and how you can reduce the risk of successful exploitation.
This specific attack uses a vulnerability that exists in the MS-EFSRPC protocol. This protocol is used to perform management tasks on encrypted data within the network. By abusing the EfsRpcOpenFileRaw procedure call, an attacker can force any system to authenticate itself to an NTLM server under his control. This allows an attacker to obtain an NTLM-hash that is used by the system that authenticates itself. This hash can be reused to authenticate on other systems.
If NTLM-authentication is enabled within your domain environment and you have Active Directory Certificate Services with one of the services listed below deployed on systems in the network, your environment may be vulnerable to this attack method.
- Certificate Authority Web Enrollment
- Certificate Enrollment Web Service
By making a specific request to the Certificate Service web service, together with the obtained NTLM-hash, an attacker can obtain a valid signed certificate. This certificate can be used to perform additional authentication against other systems.
Although this particular attack uses the Certificate Services, it is possible that other services that offer NTLM-authentication offer other attack paths.
When you are using the services as described above, it is theoretically possible for an attacker to take over services in the domain, including a domain controller. Given this information, Northwave estimates the probability to be average and the impact to be high.
On Friday, July 23, 2021, Microsoft published a security advisory  that describes possible measures to mitigate this attack. At the time of writing, there is no update available that resolves the vulnerability in the MS-EFSRPC protocol.
By taking several mitigating measures, you can reduce the likelihood of successful exploitation. The primary mitigating measure is to disable NTLM-authentication within the domain environment, starting with the domain controllers . NTLM is a legacy protocol with known vulnerabilities. Northwave recommends disabling NTLM within your domain when it is not required.
When disabling NTLM authentication in the environment is not possible, for example due to compatibility reasons, a partial mitigation is possible. The partial mitigation consists of disabling NTLM-authentication on servers that provide Active Directory Certificate Services to the network  and applying Extended Protection for Authentication . By taking these measures, the chance of successful re-use of an obtained NTLM hash is significantly reduced.
What will Northwave do?
Northwave is researching the possibilities of monitoring for exploit attempts. When possible, we will add these capabilities to the Northwave Detection Platform.
Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises, we will reach out to you. If you need additional information, you can call us by phone or send us an email.
E-mail: [email protected]
Do you have an incident right now? Call our CERT number: +31 (0)85 043 7909 or 0800-1744 (alleen vanuit Nederland)
Disclaimer applies, see below.
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.