Security News > 2021 > July > Microsoft shares mitigations for new PetitPotam NTLM relay attack
Microsoft has released mitigations for the new PetitPotam NTLM relay attack that allows taking over a domain controller or other Windows servers.
PetitPotam is a new method that can be used to conduct an NTLM relay attack discovered by French security researcher Gilles Lionel.
The new attack uses the Microsoft Encrypting File System Remote Protocol to force a device, including domain controllers, to authenticate to a remote NTLM relay controlled by a threat actor.
After news of the PetitPotam NTLM relay attack broke yesterday, Microsoft published a security advisory with recommendations for organizations to defend against threat actors using the new technique on domain controllers.
"PetitPotam takes advantage of servers where Active Directory Certificate Services is not configured with protections for NTLM Relay Attacks" - Microsoft.
Microsoft's advisory is clear about the action to prevent NTLM relay attacks but does not address the abuse of the MS-EFSRPC API, which would need a security update to fix.
News URL
Related news
- Microsoft Identifies Storm-0501 as Major Threat in Hybrid Cloud Ransomware Attacks (source)
- DOJ, Microsoft seize 107 domains used in Russia's Star Blizzard phishing attacks (source)
- Microsoft and DOJ disrupt Russian FSB hackers' attack infrastructure (source)
- Microsoft issues 117 patches – some for flaws already under attack (source)
- Microsoft Detects Growing Use of File Hosting Services in Business Email Compromise Attacks (source)
- Microsoft: Ransomware Attacks Growing More Dangerous, Complex (source)
- Exploit released for new Windows Server "WinReg" NTLM Relay attack (source)
- VEILDrive Attack Exploits Microsoft Services to Evade Detection and Distribute Malware (source)
- Microsoft Fixes 90 New Flaws, Including Actively Exploited NTLM and Task Scheduler Bugs (source)
- Microsoft patches Windows zero-day exploited in attacks on Ukraine (source)