Security News > 2021 > July > New PetitPotam attack allows take over of Windows domains
A new NTLM relay attack called PetitPotam has been discovered that allows threat actors to take over a domain controller, and thus an entire Windows domain.
If this attack is successful, the attacker could take over the domain controller and perform any command they wish, effectively taking over the Windows domain.
This week, French security researcher GILLES Lionel, aka Topotam, disclosed a new technique called 'PetitPotam' that performs an NTLM relay attack that does not rely on the MS-RPRN API but instead uses the EfsRpcOpenFileRaw function of the MS-EFSRPC API. MS-EFSRPC is Microsoft's Encrypting File System Remote Protocol that is used to perform "Maintenance and management operations on encrypted data that is stored remotely and accessed over a network."
Lionel has released a proof-of-concept script for the PetitPotam technique on GitHub that can be used to force a domain controller to authenticate against a remote NTLM under an attacker's control using the MS-EFSRPC API. In a conversation with BleepingComputer about the new relay attack method, Lionel stated that he does not see this as a vulnerability but rather the abuse of a legitimate function.
In addition to the attack relaying SMB authentication to an HTTP certificate enrollment server allowing full take over of the domain controller, Lionel said it could be used for other attacks.
Update 7/24/21 16:15 EST: Added link to Microsoft's security advisory for PetitPotam attack.
News URL
Related news
- Lazarus Hackers Exploited Windows Kernel Flaw as Zero-Day in Recent Attacks (source)
- Hackers steal Windows NTLM authentication hashes in phishing attacks (source)
- Critical Rust flaw enables Windows command injection attacks (source)
- Microsoft fixes two Windows zero-days exploited in malware attacks (source)
- Critical 'BatBadBut' Rust Vulnerability Exposes Windows Systems to Attacks (source)