PetitPotam NTLM Relay Attack

Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.

We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.

Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.

In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.

Here’s the latest from our TRU Team…

What did we find?

• In July 2021, French security researcher Gilles Lionel released a Proof-of-Concept (PoC) code for coercing NTLM authentication requests from Windows hosts.
• Known as “PetitPotam”, the attack abuses the Encrypting File System Remote (EFSRPC) protocol to provoke NTLM authentication requests for use in credential relay attacks.
• In an attack scenario, an attacker with local network access can abuse this protocol to coerce an NTLM authentication request to a server under an attacker’s control.
• Researchers have successfully relayed NTLM requests retrieved using PetitPotam to Active Directory Certificate Services (AD CS) servers to sign a certificate using the relayed NTLM credentials. An attacker can then leverage this signed certificate to elevate their access and compromise the domain.
• This attack method is described in detail by SANS in a recent post.

How did we find it?

• Our 24/7 SOC analysts identified public reports of the attack and PoC code as part of regular monitoring of the threat landscape.

What did we do?

• We analyzed and tested the PoC code in a lab environment to generate log telemetry in our MDR platform.
• We deployed detection content to our eSentire Managed Log service. The detection identifies the specific connection type that PetitPotam uses to elicit an authentication attempt from a Windows Server.
• Our Managed Vulnerability Service (MVS) has plugins in place to detect vulnerable devices and identify vulnerable hosts.
• Our security team is monitoring the situation for new information and are looking for additional detection opportunities.

What can you learn from this TRU positive?

• NTLM relay attacks have existed for some time. Mitigations against relay attacks typically focus on preventing malicious hosts from coercing arbitrary NTLM requests from other systems. Unfortunately, PetitPotam is a new method for coercing these requests using the EFSRPC protocol.
• NTLM is generally considered insecure, but completely disabling it is a challenge given the legacy dependencies.
• Our TRU team continuously monitors the threat landscape for new attack methods such as PetitPotam. Through our detection engineering process, we can generate telemetry for use in retro-active threat hunts and forward-looking detection to protect our customers.

Recommendations from our Threat Response Unit (TRU) Team:

In response to PetitPotam, Microsoft has released several mitigations on NTLM relay attacks. We recommend implementing the following mitigations as soon as possible if your environment is potentially vulnerable to PetitPotam:

• Disabling NTLM authentication in the environment.
• Disabling NTLM on Active Directory Certificate Services (AD CS) servers.
• Enable Extended Protection for Authentication (EPA) on AD CS servers if NTLM cannot be disabled.

Additional measures such as EPA or SMB signing are recommended where NTLM authentication is in use.

Ask Yourself…

• Consider how you can monitor and respond to credential replay attacks such as PetitPotam in your environment, particularly if NTLM cannot be fully disabled in the domain.
• Do I have the visibility and expertise required to investigate emerging attack methods?

If you’re not currently engaged with a Managed Detection and Response provider, we highly recommend you partner with us for security services in order to disrupt threats before they impact your business.

Want to learn more? Connect with an eSentire Security Specialist.