Detecting and Mitigating the PetitPotam Attack on Windows Domains

By Ran Harel August 02, 2021 | Ransomware
Update August 10, 2021: Microsoft released a patch that partially covers the initial PetitPotam authentication coercion through MS-EFSR. 

Fresh on the heels of PrintNightmare and SeriousSam, we now have another high-impact attack vector on Windows domains that is relatively easy to carry out and difficult to mitigate.

What is now being hailed across Twitter as #PetitPotam is a combination of several attacks that require only network access with potential to gain full Domain Admin permissions.

The original exposure, PetitPotam, is an authentication coercion exposure. Soon after its discovery, it was combined by several researchers with an attack exposed by SpecterOps a few months ago called “ESC8” against AD Certificate Services. At the time, SpecterOps referred to an older authentication coercion vulnerability in Print Spoolers discovered by @elad_shamir and referred to as the “Printer Bug.”

This is what the full attack path looks like:

  1. An attacker coerces a privileged account to authenticate to a controlled machine. No domain account is required. This is the original PetitPotam—a PoC tool released on July 18 to GitHub by French researcher Gilles Lionel (@topotam77) that calls EFSRPC (Encrypting File System Remote) to authenticate as the running service (including Domain Controllers).
  2. The attacker relays that authentication to a susceptible service using NTLM relay. Because of a design flaw as a challenge-response authentication protocol, NTLM authentication is susceptible to relay attacks. Microsoft suggests disabling NTLM altogether or installing EPA.
  3. In this attack, the services that are susceptible to NTLM relay are the CA Web Enrollment and Certificate Enrollment Web Service—part of Active Directory Certificate Services (AD CS) —services that are responsible for enrollment and issuance of (among other things) client authentication certificates.
  4. The attacker uses the privileged access from the NTLM relay attack to gain persistent escalated privileges by issuing themselves a certificate in the name of the coerced account. This approach enables them to authenticate to additional services or gain a silver ticket.

 

How to detect and mitigate PetitPotam

Microsoft has released mitigation information, available here.

Semperis Directory Services Protector (DSP) 3.5 includes an indicator of exposure to detect susceptible environments:

  • “AD Certificate Authority with Web Enrollment (“PetitPotam,” “ESC8″)” checks for NTLM access to the Web Enrollment service. If this indicator finds results without EPA enabled, the environment is exposed to this attack.
  • We are also working on additional indicators to check for and mitigate EFSRPC coercion and NTLM relay. These indicators will update automatically for DSP customers.

 

About the author
Ran Harel
Ran Harel Principal Security Product Manager
Ran Harel, Senior Security Product Manager at Semperis, has more than 15 years’ security experience including pen-testing, SecOps and risk-and-compliance management at global financial institutions. Recently, Ran has held leading product roles at a global cybersecurity vendor and two acquired startups. Linkedin
Unlock cyber resilience. Get a demo