Microsoft recommends disabling NTLM when not necessary. The company also recommends that services that require NTLM authentication should use signing features such as SMB signing. Due to requirements to support legacy systems and tools, some organizations may find this advice difficult to implement. Whether an organization is able to mitigate the threat or not, it is still a strong position to implement monitoring systems to detect if an attacker is attempting to exploit this vulnerability. The most effective detection so far that has been tested by Binary Defense’s Threat Hunting Team is a set of Surricata rules that match the patterns of network communication used by the exploit PoC: https://github.com/ptresearch/AttackDetection/blob/master/PetitPotam/petitpotam.rules PetitPotam is about abusing the EfsRpcOpenFileRaw function of the MS-EFSRPC API to pass on authentication requests, leaving the door open for other attacks. Microsoft’s advisory is clear about the action to prevent NTLM relay attacks but does not address the abuse of the MS-EFSRPC API, which would need a security update to fix. Companies that use NTLM authentication should look to decide if it is fully needed and if not, it should be disabled. If NTLM is needed, companies should follow Microsoft’s guidelines for the time being and be on the lookout for a security patch fixing the abuse of the MS-EFSRPC API.

https://nationalcybersecuritynews.today/microsoft-shares-mitigations-for-new-petitpotam-ntlm-relay-attack-microsoft-hacking-cybersecurity/

Detection rules: https://github.com/ptresearch/AttackDetection/blob/master/PetitPotam/petitpotam.rules