Home / About / Insights / SECURITY GUIDANCE - PetitPotam NTLM Relay Attack

Published: 27th July 2021 | In: Threat Intelligence & Advice

Tuesday 27th July 2021 20:00 (GMT). PetitPotam NTLM Relay Attack. Quorum Cyber have produced the below Quick Info on how to mitigate your systems against a potential PetitPotam attack.

UPDATED GUIDANCE: 5th August – 14:30 PM (GMT)

However, as already stated, the below mitigation only deals with NTLM relay attacks. It does not address the wider issue of PetitPotum being used as part of other attacks. Security researcher, Craig Kirby, has identified a mechanism to block remote access to the MS-EFSRPC API effectively blocking unauthenticated PetitPotam attacks.

To do this, create a text file on your desktop called block_efsr.txt.

Save the following contents into it:

rpc

filter

add rule layer=um actiontype=block

add condition field=if_uuid matchtype=equal data=c681d488-d850-11d0-8c52-00c04fd90f7e

add filter

add rule layer=um actiontype=block

add condition field=if_uuid matchtype=equal data=df1941c5-fe89-4e79-bf10-463657acf44d

add filter

quit

From an Administrative command prompt type the following command:

netsh -f %userprofile%\desktop\block_efsr.txt

You can verify that the filters have been added by running the following command:

netsh rpc filter show filter

the result should show two filters:

c681d488-d850-11d0-8c52-00c04fd90f7e

and

df1941c5-fe89-4e79-bf10-463657acf44d

PetitPotam will no longer work against the device, however EFS will continue to operate correctly.

Should you need to remove the filter or include a roll-back plan within any change request the command to do so is:

netsh rpc filter delete filter filterkey=[key]

where the key if the filterkey displayed using the previous command.

 

UPDATED GUIDANCE: 30th July 2021 – 12:15 PM (GMT)

You are vulnerable if NTLM authentication is enabled in your domain and/or if you are using Active Directory Certificate Services (AD CS) with the services “Certificate Authority Web Enrollment” and “Certificate Enrollment Web Service.”.

Microsoft has updated its advice on mitigating this vulnerability and has split the advice into 2 parts:

Primary Mitigations:

On AD CS servers open the Internet Information Services (IIS) Manager and do the following:

  • Enable Extended Protection for Authentication (EPA) for Certificate Authority Web Enrollment, “Required” being the more secure and recommended option.
  • Enable EPA for Certificate Enrollment Web Service, “Required” being the more secure and recommended option. After enabling EPA in the UI, the Web.config file created by CES role at <%windir%>\systemdata\CES\_CES_Kerberos\web.config should also be updated by adding set with a value of either WhenSupported or Always depending on the Extended Protection option selected in the IIS UI.
  • Enable Require SSL, which will enable only HTTPS connections.

Additional Mitigations:

  • Disable the deprecated NTLM authentication where possible.
  • Disable NTLM Authentication on your Windows domain controller.
  • Disable NTLM on any AD CS Servers in your domain using the group policy (GPO). To configure this GPO, open Group Policy and go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options and set Network security: Restrict NTLM: Incoming NTLM traffic to Deny All Accounts or Deny All domain accounts. If needed, you can add exceptions as necessary.
  • Disable NTLM for Internet Information Services (IIS) on AD CS Servers in your domain running the “Certificate Authority Web Enrollment” or “Certificate Enrollment Web Service” services.

Important note: After completing the above steps, you will need to restart IIS to load the changes. To restart IIS, open an elevated Command Prompt window, type the following command, and then press ENTER:

iisreset /restart

This command stops all IIS services that are running and then restarts them. This may cause some disruption to other services hosted on the same server.

Detail guides and screenshots can be found in the “Microsoft Instructions” link below.

What is it?

PetitPotam is a type of relay attack that exploits the MS-EFSRPC (Encrypting File System Remote Protocol) to cause a machine to perform NTLM authentication to an attacker-controlled machine. This can then relay the credentials to Active Directory Certificate Services to get a Kerberos ticket.

This attack effectively allows an attacker with access to the network to take the credentials passed to them from one machine for authentication and uses them to authenticate to against another.

What is the impact?

An unauthenticated attacker can force a targeted computer to initiate an authentication procedure and share its hashed passwords via NTLM. The PetitPotam attack can be chained to an exploit targeting Windows Active Directory Certificate Services (AD CS) to seize control of the entire domain.

Are my systems vulnerable?

You are vulnerable if you have an on-premises AD infrastructure and Active Directory Certificate Services (AD CS) is not configured with protections for NTLM relay attacks.

How do I mitigate this threat?

Microsoft’s advice is to disable NTLM or enable Extended Protection for Authentication (EPA) on ADCS where NTLM signing is required.

In instances where it is not possible to turn off NTLM in its entirety, for example, where there may be compatibility issues, Microsoft recommend implementing one of the two following steps:

  • Disable NTLM on any AD CS Servers in your domain using the group policy Network security: Restrict NTLM: Incoming NTLM traffic.
  • Disable NTLM for Internet Information Services (IIS) on AD CS Servers in the domain running the “Certificate Authority Web Enrollment” or “Certificate Enrollment Web Service” services.

Further Information

Microsoft Instructions
SANS Internet Storm Center

Microsoft Advisory
The Hacker News