Detecting and Mitigating the PetitPotam Assault on Windows Domains

Fresh on the heels of PrintNightmare and SeriousSam, we now have one more high-affect attack vector on Windows domains that is relatively straightforward to have out and difficult to mitigate.

What is now currently being hailed across Twitter as #PetitPotam is a mixture of many attacks that require only network access with possible to get complete Domain Admin permissions.

The original publicity, PetitPotam, is an authentication coercion publicity. Shortly soon after its discovery, it was put together by various researchers with an attack exposed by SpecterOps a number of months ago known as “ESC8” in opposition to Ad Certification Solutions. At the time, SpecterOps referred to an older authentication coercion vulnerability in Print Spoolers learned by @elad_shamir and referred to as the “Printer Bug.”

This is what the comprehensive attack route looks like:

  1. An attacker coerces a privileged account to authenticate to a managed equipment. No domain account is needed. This is the original PetitPotam—a PoC device released on July 18 to GitHub by French researcher Gilles Lionel (@topotam77) that calls EFSRPC (Encrypting File Procedure Distant) to authenticate as the operating company (including Area Controllers).
  2. The attacker relays that authentication to a prone service working with NTLM relay. Mainly because of a style and design flaw as a obstacle-reaction authentication protocol, NTLM authentication is vulnerable to relay attacks. Microsoft implies disabling NTLM altogether or installing EPA.
  3. In this assault, the expert services that are susceptible to NTLM relay are the CA World-wide-web Enrollment and Certification Enrollment World-wide-web Service—part of Active Directory Certificate Products and services (Ad CS) —services that are dependable for enrollment and issuance of (among the other points) customer authentication certificates.
  4. The attacker employs the privileged entry from the NTLM relay attack to get persistent escalated privileges by issuing on their own a certificate in the name of the coerced account. This technique permits them to authenticate to extra expert services or obtain a silver ticket.


How to detect and mitigate PetitPotam

Microsoft has unveiled mitigation details, accessible listed here.

Semperis Directory Providers Protector (DSP) 3.5 includes an indicator of exposure to detect prone environments:

  • “AD Certification Authority with Internet Enrollment (“PetitPotam,” “ESC8″)” checks for NTLM obtain to the World wide web Enrollment assistance. If this indicator finds success without having EPA enabled, the setting is uncovered to this attack.
  • We are also performing on supplemental indicators to verify for and mitigate EFSRPC coercion and NTLM relay. These indicators will update automatically for DSP prospects.


The article Detecting and Mitigating the PetitPotam Assault on Home windows Domains appeared to start with on Semperis.

*** This is a Stability Bloggers Community syndicated web site from Semperis authored by Ran Harel. Browse the original post at: