Microsoft has moved swiftly to publish mitigation advice for a new NTLM relay attack against Windows Domain controllers, dubbed PetitPotam.
An NTLM relay attack can occur when an attacker inserts themselves between a valid client-server authentication request in a Windows Domain or tricks one system into trying to authenticate itself and so providing a copy of its hashed credentials to the attacker. The captured credentials can then be used in a pass the hash attack allowing the attacker to authenticate against other systems on the network.
PetitPotam is a novel attack that tricks the domain controller into trying to authenticate to a system under the control of the attacker, allowing the attacker to capture the NTLM credentials of the domain controller and then replay them in order to authenticate against other network resources – including the domain controller itself and so take over the domain. The attack does this by abusing the Microsoft Encrypting File System Remote Protocol (MS-EFSRPC) into authenticating against a remote NTLM relay controlled by the attacker.
Microsoft recommends NTLM should be disabled in environments where it is not needed – in most modern networks Kerberos is the more secure alternative. If NTLM is required for compatibility reasons it can be protected by enabling Extended Protection for Authentication.
According to Microsoft’s Security Advisory for PetitPotam, PetitPotam takes advantage of servers where the Active Directory Certificate Services (AD CS) is not configured with protections for NTLM Relay Attacks. The advisory goes on to provide instructions for how to configure IIS Servers, and Domain Controllers to harden against NTLM relay attacks such as PetitPotam.