Microsoft Guidance for Mitigating PetitPotam NTLM Relay Attacks
MS Alert KB5005413
Microsoft has publicly released an alert, KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS), to address a NTLM Relay Attack, designated PetitPotam. The alert is supplied with active mitigation strategies and recommendations for organizations potentially affected by the PetitPotam relay attack.
Pdf version:
Text:
PetitPotam is a novel attack method that can be used to conduct a New Technology LAN Manager (NTLM) relay attack upon targeted organizations. The attack uses the Microsoft Encrypting File System Remote Protocol (EFSRPC) to force a device to authenticate to a remote NTLM relay directly controlled by a threat actor. Once the device authenticates to tthe malicious NTLM server, a threat actor can steal hashes and certificates that can be used to assume the identity of the device and its privileges. This identity theft can be used independently or used in further attacks upon targeted organizations.
Researchers have released a proof-of-concept script for the PetitPotam technique on GitHub that can be used to force a domain controller to authenticate against a remote NTLM relay under an attacker’s control using the MS-EFSRPC API. This proof-of-concept release has a significant impact upon the development time for threat actors, as this code could be utilized to quickly weaponize tools and techniques for attackers in future campaigns.
Note: Please see the Pdf version for full alert details and resource links.
- Related Resources & News
- Leveraging ISO 81001-5-1 Amid Medical Device Procurement
- Mitigating risk as healthcare supply chain attacks prevail
- Enhancing Cybersecurity in Rural Hospitals
- Health-ISAC Hacking Healthcare 11-15-2024
- Cyber Incident Response: Playbook for Medical Product Makers
- Feds Warn of Godzilla Webshell Threats to Health Sector
- Trump’s Return: Impact on Health Sector Cyber, HIPAA Regs
- Health-ISAC Hacking Healthcare 11-7-2024
- Protecting the Healthcare Supply Chain Against Russian Ransomware Attacks
- All hospitals should be concerned about cyberattacks. Here’s why