Security researcher Gilles Lionel recently shared technical details and a Proof-of-Concept (PoC) of an attack implementation that abuses a flaw in the Microsoft Encrypting File System Remote Protocol (MS-EFSRPC) to coerce Windows hosts to authenticate to other machines in an Active Directory domain. This attack allows threat actors to take over a domain controller or other Windows Servers. The attack uses the Microsoft Encrypting File System Remote Protocol (EFSRPC) to force a device, including domain controllers, to authenticate to a remote NTLM relay controlled by a threat actor. Once the device authenticates, the threat actor can use it to steal hash and certificates that let them assume the identity of the device and its privileges. Microsoft has referenced previously-published advice to system administrators to disable NTLM or enable SMB signing in their organizations to prevent NTLM relays and make this attack method ineffective.
Analyst Notes
Microsoft recommends disabling NTLM when not necessary. The company also recommends that services that require NTLM authentication should use signing features such as SMB signing. Due to requirements to support legacy systems and tools, some organizations may find this advice difficult to implement. Whether an organization is able to mitigate the threat or not, it is still a strong position to implement monitoring systems to detect if an attacker is attempting to exploit this vulnerability. The most effective detection so far that has been tested by Binary Defense’s Threat Hunting Team is a set of Surricata rules that match the patterns of network communication used by the exploit PoC: https://github.com/ptresearch/AttackDetection/blob/master/PetitPotam/petitpotam.rules PetitPotam is about abusing the EfsRpcOpenFileRaw function of the MS-EFSRPC API to pass on authentication requests, leaving the door open for other attacks. Microsoft’s advisory is clear about the action to prevent NTLM relay attacks but does not address the abuse of the MS-EFSRPC API, which would need a security update to fix. Companies that use NTLM authentication should look to decide if it is fully needed and if not, it should be disabled. If NTLM is needed, companies should follow Microsoft’s guidelines for the time being and be on the lookout for a security patch fixing the abuse of the MS-EFSRPC API.
https://nationalcybersecuritynews.today/microsoft-shares-mitigations-for-new-petitpotam-ntlm-relay-attack-microsoft-hacking-cybersecurity/
Detection rules: https://github.com/ptresearch/AttackDetection/blob/master/PetitPotam/petitpotam.rules
