PetitPotam NTLM Relay Attack Detection

PetitPotam Attack Detection

July continues to be an effortful month for Microsoft. After the critical PrintNightmare (CVE-2021-1675) and HiveNightmare (CVE-2021-36934) vulnerabilities, security researchers have identified a critical security gap that might result in a complete Windows domain compromise. The issue, dubbed PetitPotam, takes advantage of the Encrypting File System Remote Protocol (MS-EFSRPC) and allows attackers to proceed with the NTLM Relay attacks.

PetitPotam Attack Overview

On July 23, 2021, Gilles Lionel shared a proof-of-concept (PoC) exploit for a brand new PetitPotam security hole. This issue impacts Microsoft Active Directory Certificate Services (AD CS) used to ensure public key infrastructure (PKI) server functions. Consequently, the PetitPotam attack scenario can be leveraged against the majority of enterprise environments.

PetitPotam exploits the Encrypting File System Remote Protocol (MS-EFSRPC) to initiate the authentication process within remote Windows instances and force them to reveal the NTLM hashes to the adversary, SANS Institute’s Internet Storm Center explains. Particularly, the attacker misuses LSARPC and forces any targeted server, including domain controller (DC), to connect the malicious arbitrary server and proceed with the NTLM authentication. As a result, the adversary obtains an authentication certificate applicable to access any domain services, including the DC.

Despite the PetitPotam attack being devastating in its consequences and easy to launch, there are some limitations for the adversaries. According to the researchers’ findings, threat actors need to obtain SYSTEM/ADMIN privileges or maintain covert malicious infrastructure within the LAN to transfer the stolen credentials back to the DC or other internal instances. However, the presence of HiveNightmare and PrintNightmare makes the escalation part of the attack an easy task.

PetitPotam Attack Detection and Mitigation

According to the researchers, the majority of supported Windows versions are susceptible to the PetitPotam. Currently, the technique was successfully leveraged against Windows 10, Windows Server 2016, and Windows Server 2019. 

To help security practitioners withstand the possible PetitPotam attack, Microsoft has released a dedicated Security Advisory announcing the Extended Protection for Authentication feature. To secure a company’s infrastructure and ensure the PetitPotam mitigation, it is recommended that services allowing NTLM authentication leverage SMB signing or Extended Protection for Authentication protection. This allows servers with AD CS (Active Directory Certificate Services) to mitigate vulnerability against possible NTLM Relay Attacks.

SOC Prime has released a hunting rule that allows detecting possible PetitPotam attack exploitation. 

Possible PetitPotam Attack Exploitation [MS-EFSRPC/ADCS-PKI] (via audit)

To detect possible attacks against an environment, the rule looks for events with TGT request (Event Code 4768), namely the section of the Certificate Information containing data about Certificate Issuer Name, Serial Number, and Thumbprint.

The hunting rule is available for the following SIEM and Security Analytics platforms:

Azure Sentinel, ELK Stack, Chronicle Security, Splunk, Sumo Logic, ArcSight, QRadar, Humio, FireEye, LogPoint, Graylog, Regex Grep, Apache Kafka ksqlDB, Securonix

This rule is mapped to MITRE ATT&CK methodology addressing the Credential Access tactics and the Forced Authentication technique (t1187), and the LLMNR/NBT-NS Poisoning and SMB Relay sub-technique (t1557.001).

Updates from September 3, 2021:

Threat Detection Marketplace users can now refer to two more rules aimed at PetitPotam attack detection.

PetitPotam Suspicious Kerberos TGT Request

This rule written by Mauricio Velazco, Michael Haag detects suspicious Kerberos TGT requests. Once an attacker obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes. One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus. This request will generate a 4768 event with some unusual fields depending on the environment. 

The rule has translations for the following platforms:

Azure Sentinel, ELK Stack, Splunk, Sumo Logic, ArcSight, QRadar, Humio, FireEye, LogPoint, Graylog, Regex Grep, Microsoft PowerShell, RSA Netwitness, Apache Kafka ksqlDB, Securonix

The rule is mapped to the MITRE ATT&CK framework addressing the Credential Access tactics and Forced Authentication technique (t1187).

Possible PetitPotam Coerce Authentication Attempt

This rule, also developed by Mauricio Velazco, Michael Haag, detects PetitPotam coerced authentication activity.

Detection is available for the following platforms: 

Azure Sentinel, ELK Stack, Splunk, Chronicle Security, Sumo Logic, ArcSight, QRadar, Humio, FireEye, LogPoint, Graylog, Regex Grep, Microsoft PowerShell, RSA Netwitness, Apache Kafka ksqlDB, Securonix

The rule is mapped to the MITRE ATT&CK framework addressing the Credential Access tactics and Forced Authentication technique (t1187).

Please refer here to check the full list of detections related to the PetitPotam attack.

Explore Threat Detection Marketplace to reach over 100K qualified, cross-vendor, and cross-tool detection rules tailored to 20+ market-leading SIEM, EDR, NTDR, and XDR technologies. Also, you can contribute to the world’s cyber community via SOC Prime’s Threat Bounty Program by publishing your own detection content on the Detection as Code platform and get rewarded for your contributions.

Go to Platform Join Threat Bounty

Was this article helpful?

Like and share it with your peers.

Related Posts