Skip to main content

Microsoft Guidance for Mitigating PetitPotam NTLM Relay Attacks

MS Alert KB5005413

Microsoft has publicly released an alert, KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS), to address a NTLM Relay Attack, designated PetitPotam. The alert is supplied with active mitigation strategies and recommendations for organizations potentially affected by the PetitPotam relay attack.

Pdf version:

Text:

PetitPotam is a novel attack method that can be used to conduct a New Technology LAN Manager (NTLM) relay attack upon targeted organizations. The attack uses the Microsoft Encrypting File System Remote Protocol (EFSRPC) to force a device to authenticate to a remote NTLM relay directly controlled by a threat actor. Once the device authenticates to tthe malicious NTLM server, a threat actor can steal hashes and certificates that can be used to assume the identity of the device and its privileges. This identity theft can be used independently or used in further attacks upon targeted organizations.

Researchers have released a proof-of-concept script for the PetitPotam technique on GitHub that can be used to force a domain controller to authenticate against a remote NTLM relay under an attacker’s control using the MS-EFSRPC API. This proof-of-concept release has a significant impact upon the development time for threat actors, as this code could be utilized to quickly weaponize tools and techniques for attackers in future campaigns.

Note: Please see the Pdf version for full alert details and resource links.

This site is registered on Toolset.com as a development site.