News

PetitPotam NTLM Relay Attacks Flagged by Microsoft Defender for Identity

• By Kurt Mackie
• 08/18/2021

Microsoft explained "PetitPotam" NT LAN Manager (NTLM) relay attacks in a Wednesday announcement, while also suggesting that its Microsoft Defender for Identity product was capable of identifying such attack attempts.

The PetitPotam vulnerability is only present in Windows Server products where "Active Directory Certificate Services (AD CS) is not configured with protections for NTLM relay attacks," Microsoft has explained.

A patch for PetitPotam was released by Microsoft in its Aug. 10 "update Tuesday" patch distribution. It's described in security bulletin CVE-2021-36942 as a "Windows LSA [Local Security Authority] spoofing vulnerability." Microsoft also lists mitigation steps that can be taken in Knowledge Base article KB5005413.

An EFSRPC Exploit Tool
PetitPotam is named after a little hippo character in a French animation series for kids, but Microsoft described it as "a tool that can exploit the Encrypting File System Remote (EFSRPC) Protocol." The EFSRPC is used to manage files on remote servers that are encrypted via "the Encrypting File System (EFS)," Microsoft explained.

The PetitPotam exploit "allows the adversary to force a domain controller to authenticate to an NTLM relay server under the attacker's control." It then lets them intercept network traffic and impersonate clients.

There are two ways to ward off such attacks, Microsoft explained:

To prevent NTLM relay attacks on networks with NTLM enabled, domain administrators must ensure that services that permit NTLM authentication utilize protections such as Extended Protection for Authentication (EPA), or signing features, like SMB signing.

The second protection option, SMB signing, was highlighted in this Aug. 3 "Configure SMB Signing with Confidence" post by Ned Pyle, a principal program manager on the Windows team and expert on the Windows Server Message Block (SMB) component.

"SMB signing means that every SMB 3.1.1 message contains a signature generated using session key and AES [Advanced Encryption Standard]," Pyle explained.

Pyle further explained the various settings that can be used with SMB signing, which were loosely cooked up in the 1990s and are rather confusing. In general, Pyle said that "requiring Kerberos by disabling the use of NTLM and enabling UNC hardening will make things much more secure."

Microsoft Defender for Identity
The dense talk about PetitPotam and NTLM relay attack countermeasures didn't stop Microsoft from touting its Microsoft Defender for Identity product.

"Starting from version 2.158 onwards, Microsoft Defender for Identity will trigger a security alert whenever an attacker is trying to exploit the EFS-RPC against the domain controller, which is the preliminary step of the PetitPotam attack," the Wednesday announcement indicated.

PetitPotam Not Fully Patched?
Some security researchers have stated that the PetitPotam threat isn't wholly diminished by Microsoft's August patch.

Will Dormann, a vulnerability analyst at the U.S. Computer Emergency Readiness Team (CERT/CC), indicated in an Aug. 16 Twitter post series that Microsoft's August patch just addressed one PetitPotam attack function:

PetitPotam is only fixed for the one function that was originally in the first PetitPotam PoC [proof of concept]. Turns out there are several other unauthenticated LSARPC [Local Security Authority Remote Procedure Call] functions that coerce a machine authentication to an arbitrary host w/ NTLM.

The notion that other functions aren't addressed by Microsoft's August patch was maintained by Dormann in a more recent Twitter post.

"Now's probably a good time to remind people that Microsoft has made no claims to have fixed any aspect of the PetitPotam + AD CS attack chain," Dormann wrote in this Aug. 18 Twitter post. "CVE-2021-36942 is one tiny piece of the big picture."

Dormann's post referenced KB5005413 for further actions to take, which is Microsoft's mitigations document.