The PetitPotam NTLM relay exploit, which allows a threat actor to take over a Windows domain, has been blocked by Microsoft security patches. Gilles Lionel, nicknamed Topotam, a security researcher, revealed a new method called PetitPotam in July that forces a domain controller to authenticate against a threat actor's server utilizing the MS-EFSRPC API capabilities. Gilles Lionel published a proof-of-concept (PoC) exploit for a brand new PetitPotam security flaw on July 23, 2021. This problem affected Microsoft's Active Directory Certificate Services (AD CS), which is needed to assure public key infrastructure (PKI) server functionality. According to the SANS Institute's Internet Storm Center, PetitPotam uses the Encrypting File System Remote Protocol (MS-EFSRPC) to start the authentication process in remote Windows instances and force them to divulge the NTLM hashes to the adversary. The attacker specifically exploits LSARPC to force any targeted server, including domain controllers (DCs), to connect to the malicious random server and perform NTLM authentication. As a result, the adversary acquires an authentication certificate that is valid for all domain services, including the DC. Despite the fact that the PetitPotam attack had devastating results and was simple to launch, the adversaries faced some constraints. To transfer the stolen credentials back to the DC or other internal instances, threat actors needed to achieve SYSTEM/ADMIN rights or maintain covert malicious infrastructure within the LAN, according to the researchers' findings. The majority of supported Windows versions, according to the researchers, are vulnerable to the PetitPotam. The technique has been successfully applied to Windows 10, Windows Server 2016, and Windows Server 2019. Microsoft provided a security update in August 2021 Patch Tuesday, that prevents the PetitPotam vector (CVE-2021-36942) from forcing a domain controller to authen ..
Support the originator by clicking the read the rest link below.
