Blumira Resources & Blog

NTLM Relay Attack PetitPotam Targets AD Certificate Services

Written by Matthew Warner | Jul 27, 2021 1:06:45 AM

What Happened?

Lionel Gilles, a French-based Offensive Computer Security researcher at Sogeti, an IT services company based in Paris, France (@topotam77 on Twitter), recently published a PoC tool called PetitPotam, which exploits the MS-EFSRPC (Encrypting File Services Remote Protocol). 

This affects organizations that utilize Microsoft Active Directory Certificate Services, (AD CS) a public key infrastructure (PKI) server.

PetitPotam is considered a NTLM (NT LAN Manager) relay attack, a form of manipulator-in-the-middle attack. Microsoft has previously provided workarounds to avoid similar NTLM attacks.  

How Bad is This?

Threat actors can completely take over a Windows domain with ADCS running without any authentication — they simply need to connect the target server to the LSARPC named pipe with interface c681d488-d850-11d0-8c52-00c04fd90f7e. This allows the attacker to leverage LSARPC to communicate with the Encrypting File System Remote Protocol (MS-EFSRPC) which appears to allow unauthenticated access to provoke an NTLM authentication, which can be then captured. 

Per Microsoft documentation for MS-EFSRPC, this should be an authenticated connection, but as PetitPotam testing shows, an authenticated request is not required. At this point the captured credential can be used to escalate access even further into an environment, potentially resulting in a full takeover.

Any machines that are running Active Directory Certificate Services (AD CS) or DCs are vulnerable to this attack. You can run in an Administrator PowerShell console Get-WindowsFeature adcs-web-enrollment to determine if the feature is installed on your hosts.

This makes the vulnerability fairly dangerous — more dangerous than the recently-reported SAM database vulnerability, aka HiveNightmare.

Update 7/27 1:00 PM ET: For this attack to work, the attacker must have a way to relay the provoked credentials back to either a DC or other internal systems. This means that they would either need to have their own malicious system within the LAN or have gained SYSTEM/Administrator within the environment itself. With HiveNightmare, PrintNightmare, and recent related privilege escalation issues, the escalation step to SYSTEM is not necessarily complex depending on the posture of the environment.

What Should I Do?

Microsoft recommends the following steps:

To prevent NTLM Relay Attacks on networks with NTLM enabled, domain administrators must ensure that services that permit NTLM authentication make use of protections such as Extended Protection for Authentication (EPA) or signing features such as SMB signing. PetitPotam takes advantage of servers where Active Directory Certificate Services (AD CS) is not configured with protections for NTLM Relay Attacks. The mitigations outlined in KB5005413 instruct customers on how to protect their AD CS servers from such attacks.

Blumira also recommends reviewing if the following actions will work for your environment:

  • Consider removing Web Enroll from your Certificate Service noted above, specifically Certificate Authority Web Enrollment and Certificate Enrollment Web Service. Most modern implementations utilize the RPC calls and not the web-focused services. This can break your environment and should be tested if you do not know how Web Enrollment vs RPC Enrollment is utilized.
  • Broadly disable NTLM via GPO on all AD CS and DC Servers via GPO Restrict NTLM: Incoming NTLM Traffic. This will force Kerberos authentication and not allow the NTLM hash to be provoked out of your servers by the attack. However, whenever disabling NTLM, you should test first to validate if legacy solutions require NTLM. There are additional steps to restricting NTLM auth broadly, but this should halt the triggers related to PetitPotam
  • If you want to limit the scope of the changes, disable/remove the NTLM provider via the IIS Manager on the impacted servers. This can be done via Sites -> Default Web Site -> CertSrv and changing your Windows Authentication to only include NegotiateKerberos. Warning: This may impact your authentication functionality depending on your current utilization of NTLM.
  • Validate your utilization of Extended Protection for Authentication (EPA) to determine if it is enabled; this will not stop the attack but can limit impact.
  • Enable signing features such as SMB Signing to minimize relay attack utilization. Similar to disabling NTLM authentication, this does require testing due to potential impact on legacy solutions.

How To Detect

During testing, Blumira identified some methods to detect the exact behavior associated with some PetitPotam actions such as 3 connection events with 5145, 5140, 4624 event IDs ending in an ANONYMOUS LOGON. 

Depending on the hygiene of your environment, the following two three detections will allow you to see a trigger from anonymous and user-auth based PetitPotam and also help you identify potential problem areas in your environment generally.

Anonymous Bind to RPC during PetitPotam, as well as any Anonymous connections.

windows_event_id=4624 AND user=’ANONYMOUS LOGON’ AND authentication_package='NTLM'

Elevated User Access without Source Workstation. You can enhance this by ignoring all src/client IPs that are not private in most cases.

windows_event_id=4624 AND elevated=true AND package_name="NTLM V2" AND workstation_name is null

For organizations with SIEMs that do not abstract out Windows event logic, elevated=true for Blumira is the same as Elevated Token:%%1842

**New Detection 7/27 1:00 PM ET**: Detailed File Share Access with a Specific Set of Accesses and Sources – This does require Auditing of Detailed File Share to be enabled resulting in 5145 Windows Event ID, Blumira Logmira GPO template can help with this visibility.
windows_event_id=5145 AND object_name LIKE '%IPC%' AND file_path in ('lsarpc','efsrpc','lsass','samr','netlogon') AND access_granted LIKE 'ReadData%WriteData%AddFile),'
In testing, we’ve determined that when the PetitPotam attack is executed, it interacts with machines in such a way that it is fingerprintable. By identifying the pipes utilized by PetitPotam, the object (IPC), and the specific accesses granted while executing the credential provoke it is detectable with limited false positives.
Below is an example 5145 Event of a normal user (nbob) being used to execute PetitPotam for your own SIEM mapping. The same accesses and patterns appear when an Anonymous Logon bind occurs as well.

A network share object was checked to see whether client can be granted desired access.

Subject:

Security ID: ABCXSS\nbob

Account Name: nbob

Account Domain: ABCXSS

Logon ID: 0xA1535D

Network Information:

Object Type: File

Source Address: 192.168.10.131

Source Port: 47558

Share Information:

Share Name: \\*\IPC$

Share Path:

Relative Target Name: efsrpc

Access Request Information:

Access Mask: 0x3

Accesses: ReadData (or ListDirectory)

WriteData (or AddFile)

For further technical details, see:

Blumira provides a security guide on How to Configure SMB (Server Message Block) Signing to help you avoid man-in-the-middle attacks on your network.

Detect Indicators of Attacks With Blumira

Blumira can detect activity that is indicative of NTLM Relay attacks, as well as many other Microsoft security incidents. By easily integrating Blumira’s detection and response platform with your Windows environment, you can identify indicators of an attack in progress and contain threats to minimize their impact.

Blumira’s free trial is easy to deploy; IT and security teams can start seeing immediate security value for their organizations.

Sign up for a free trial to start detecting and mitigating exposure related to Windows vulnerabilities.