Microsoft Guidance for Mitigating PetitPotam NTLM Relay Attacks
MS Alert KB5005413
Microsoft has publicly released an alert, KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS), to address a NTLM Relay Attack, designated PetitPotam. The alert is supplied with active mitigation strategies and recommendations for organizations potentially affected by the PetitPotam relay attack.
Pdf version:
Text:
PetitPotam is a novel attack method that can be used to conduct a New Technology LAN Manager (NTLM) relay attack upon targeted organizations. The attack uses the Microsoft Encrypting File System Remote Protocol (EFSRPC) to force a device to authenticate to a remote NTLM relay directly controlled by a threat actor. Once the device authenticates to tthe malicious NTLM server, a threat actor can steal hashes and certificates that can be used to assume the identity of the device and its privileges. This identity theft can be used independently or used in further attacks upon targeted organizations.
Researchers have released a proof-of-concept script for the PetitPotam technique on GitHub that can be used to force a domain controller to authenticate against a remote NTLM relay under an attacker’s control using the MS-EFSRPC API. This proof-of-concept release has a significant impact upon the development time for threat actors, as this code could be utilized to quickly weaponize tools and techniques for attackers in future campaigns.
Note: Please see the Pdf version for full alert details and resource links.
- Related Resources & News
- Health-ISAC Hacking Healthcare 10-15-2024
- Health-ISAC Welcomes Booz Allen Hamilton to the Ambassador Program
- Health-ISAC Hacking Healthcare 10-9-2024
- Monthly Newsletter – October 2024
- Health ISAC leads effort to transform SBOM information sharing under CISA-facilitated community work
- CyberEdBoard Insights: Phil Englert and Errol Weiss
- Health-ISAC Hacking Healthcare 9-10-2024
- Strengthening Healthcare Cybersecurity: Lessons from Recent Supplier Attacks
- Specialize in Securing Critical Infrastructure
- How AI is transforming cybersecurity, on defense and offense