Lionel Gilles, a French-based Offensive Computer Security researcher at Sogeti, an IT services company based in Paris, France recently published a PoC tool called PetitPotam, which exploits the MS-EFSRPC (Encrypting File Services Remote Protocol).
This affects organizations that utilize Microsoft Active Directory Certificate Services, (AD CS) a public key infrastructure (PKI) server.
PetitPotam is considered a NTLM (NT LAN Manager) relay attack, a form of manipulator-in-the-middle attack.
Threat actors can completely take over a Windows domain with AD CS running without any authentication — they simply need to connect the target server to the LSARPC named pipe with interface c681d488-d850-11d0-8c52-00c04fd90f7e. This allows the attacker to leverage LSARPC to communicate with the Encrypting File System Remote Protocol (MS-EFSRPC) which appears to allow unauthenticated access to provoke an NTLM authentication, which can be then captured via HTTP.
- Attackers provoke NTLM authentication from DC to a machine they control using MS-EFSRPC / MS-RPRN (PetitPotam)
- NTLM Relay back to DC (reflection) AD CS to get a cert for DC
- Upgrade DC cert to DC TGT
- Windows domain compromised
During testing, we identified some methods to detect the exact behavior associated with some PetitPotam actions such as Windows events with 4624, 5140 event IDs ending in an ANONYMOUS LOGON
The following app rules, which are available on the Netwitness live server, help detect PetitPotam activity in the environment
- Anonymous NTLM logon detected
- Possible PetitPotam authentication exploit attempt*
*Note : This does require auditing of detailed file share to be enabled resulting in 5145 Windows Event ID
The SMB_lua and DCERPC parsers were also updated to register action meta from EFSRPC named pipe operations.
*Note: This parser does not by itself indicate a PetitPotam exploit attempt. It only provides visibility of EFSRPC operations issued by a client. Determination that an operation represents an exploit attempt is not directly possible for either parser. Rather analysis of all meta from a session may help an analyst make that determination, or that further investigation may be warranted.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.