This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

PetitPotam NTLM Relay Attack

jeethmathai
Occasional Contributor Occasional Contributor
Occasional Contributor
‎2021-09-21 04:55 PM

Introduction

Lionel Gilles, a French-based Offensive Computer Security researcher at Sogeti, an IT services company based in Paris, France recently published a PoC tool called PetitPotam, which exploits the MS-EFSRPC (Encrypting File Services Remote Protocol).

This affects organizations that utilize Microsoft Active Directory Certificate Services, (AD CS) a public key infrastructure (PKI) server.

PetitPotam is considered a NTLM (NT LAN Manager) relay attack, a form of manipulator-in-the-middle attack. 

 

Attack Scenario

Threat actors can completely take over a Windows domain with AD CS running without any authentication — they simply need to connect the target server to the LSARPC named pipe with interface c681d488-d850-11d0-8c52-00c04fd90f7e. This allows the attacker to leverage LSARPC to communicate with the Encrypting File System Remote Protocol (MS-EFSRPC) which appears to allow unauthenticated access to provoke an NTLM authentication, which can be then captured via HTTP.

  1. Attackers provoke NTLM authentication from DC to a machine they control using MS-EFSRPC / MS-RPRN (PetitPotam)
  2. NTLM Relay back to DC (reflection) AD CS to get a cert for DC
  3. Upgrade DC cert to DC TGT
  4. Windows domain compromised

During testing, we identified some methods to detect the exact behavior associated with some PetitPotam actions such as Windows events with 4624, 5140 event IDs ending in an ANONYMOUS LOGON

Screenshot 2021-09-21 205932.png

 

The following app rules, which are available on the Netwitness live server, help detect PetitPotam activity in the environment

  • Anonymous NTLM logon detected
  • Possible PetitPotam authentication exploit attempt*

Screenshot 2021-09-21 173401.png

Screenshot 2021-09-21 173510.png

*Note : This does require auditing of detailed file share to be enabled resulting in 5145 Windows Event ID

The SMB_lua and DCERPC parsers were also updated to register action meta from EFSRPC named pipe operations.

filename: efsrpc

action:  EfsRpcOpenFileRaw*

*Note: This parser does not by itself indicate a PetitPotam exploit attempt. It only provides visibility of EFSRPC operations issued by a client. Determination that an operation represents an exploit attempt is not directly possible for either parser. Rather analysis of all meta from a session may help an analyst make that determination, or that further investigation may be warranted.

 

References:

https://msrc.microsoft.com/update-guide/vulnerability/ADV210003

InfoSec Handlers Diary Blog (sans.edu)

AD CS/PKI template exploit via PetitPotam and NTLMRelayx, from 0 to DomainAdmin in 4 steps | Franky's WebSite (bussink.net)

 

© 2022 RSA Security LLC or its affiliates. All rights reserved.