PetitPotam: Microsoft Windows Server NTLM Relay Attacks on Active Directory Certificate Services (AD CS)
by CIRT Team
A new NTLM relay attack called PetitPotam has been discovered that allows threat actors to take over a domain controller, and thus an entire Windows domain.
Many organizations utilize Microsoft Active Directory Certificate Services, which is a public key infrastructure (PKI) server that can be used to authenticate users, services, and machines on a Windows domain.
PetitPotam’ that performs an NTLM relay attack that does not rely on the MS-RPRN API but instead uses the EfsRpcOpenFileRaw function of the MS-EFSRPC API.
MS-EFSRPC is Microsoft’s Encrypting File System Remote Protocol that is used to perform “maintenance and management operations on encrypted data that is stored remotely and accessed over a network.”
The MS-EFSRPC API is enabled by default on all Windows machines, and disabling the MS-EFS service will not prevent this attack from being successful.
A malicious actor could exploit this feature to gain full control of a Microsoft Windows Domain Controller and the entire Windows Domain.
Microsoft has released an advisory on the PetitPotam exploit with the following information:
You are potentially vulnerable to this attack if NTLM authentication is enabled in your domain and you are using Active Directory Certificate Services (AD CS) with any of the following services:
Certificate Authority Web Enrollment
Certificate Enrollment Web Service
Please see the references or vendor advisory for more information.
26 Oct 2023 - Security Advisories & Alerts