ALERT: PetitPotam NTLM Relay Attack Detection (via SOC Prime)


SOC Prime


SOC Prime, a leading partner of Satisnet, discuss one of the latest cyber security threats which organisations are facing: PetitPotam. SOC Prime are the creators of Threat Detection Marketplace (TDM), the number one platform for SIEM/EDR/NTDR use-case library, security analytics, detection-as-code, and continuous security intelligence.

SOC Prime: PetitPotam NTLM Relay Attack Detection

July continues to be an effortful month for Microsoft. After the critical PrintNightmare (CVE-2021-1675) and HiveNightmare (CVE-2021-36934) vulnerabilities, security researchers have identified a critical security gap that might result in a complete Windows domain compromise. The issue, dubbed PetitPotam, takes advantage of the Encrypting File System Remote Protocol (MS-EFSRPC) and allows attackers to proceed with the NTLM Relay attacks.

PetitPotam Attack Overview

On July 23, 2021, Gilles Lionel shared a proof-of-concept (PoC) exploit for a brand new PetitPotam security hole. This issue impacts Microsoft Active Directory Certificate Services (AD CS) used to ensure public key infrastructure (PKI) server functions. Consequently, the PetitPotam attack scenario can be leveraged against the majority of enterprise environments.

PetitPotam exploits the Encrypting File System Remote Protocol (MS-EFSRPC) to initiate the authentication process within remote Windows instances and force them to reveal the NTLM hashes to the adversary, SANS Institute’s Internet Storm Center explains. Particularly, the attacker misuses LSARPC and forces any targeted server, including domain controller (DC), to connect the malicious arbitrary server and proceed with the NTLM authentication. As a result, the adversary obtains an authentication certificate applicable to access any domain services, including the DC.

Despite the PetitPotam attack being devastating in its consequences and easy to launch, there are some limitations for the adversaries. According to the researchers’ findings, threat actors need to obtain SYSTEM/ADMIN privileges or maintain covert malicious infrastructure within the LAN to transfer the stolen credentials back to the DC or other internal instances. However, the presence of HiveNightmare and PrintNightmare makes the escalation part of the attack an easy task.

PetitPotam Attack Detection and Mitigation

According to the researchers, the majority of supported Windows versions are susceptible to the PetitPotam. Currently, the technique was successfully leveraged against Windows 10, Windows Server 2016, and Windows Server 2019.

To help security practitioners withstand the possible PetitPotam attack, Microsoft has released a dedicated Security Advisory announcing the Extended Protection for Authentication feature. To secure a company’s infrastructure and ensure the PetitPotam mitigation, it is recommended that services allowing NTLM authentication leverage SMB signing or Extended Protection for Authentication protection. This allows servers with AD CS (Active Directory Certificate Services) to mitigate vulnerability against possible NTLM Relay Attacks.

SOC Prime has released a hunting rule that allows detecting possible PetitPotam attack exploitation.

Possible PetitPotam Attack Exploitation [MS-EFSRPC/ADCS-PKI] (via audit)

To detect possible attacks against an environment, the rule looks for events with TGT request (Event Code 4768), namely the section of the Certificate Information containing data about Certificate Issuer Name, Serial Number, and Thumbprint.

The hunting rule is available for the following SIEM and Security Analytics platforms:

Azure Sentinel, ELK Stack, Chronicle Security, Splunk, Sumo Logic, ArcSight, QRadar, Humio, FireEye, LogPoint, Graylog, Regex Grep, Apache Kafka ksqlDB, Securonix.

This rule is mapped to MITRE ATT&CK methodology addressing the Credential Access tactics and the Forced Authentication technique (t1187), and the LLMNR/NBT-NS Poisoning and SMB Relay sub-technique (t1557.001).

Explore Threat Detection Marketplace to reach over 100K qualified, cross-vendor, and cross-tool detection rules tailored to 20+ market-leading SIEM, EDR, NTDR, and XDR technologies. Also, you can contribute to the world’s cyber community via SOC Prime’s Threat Bounty Program by publishing your own detection content on the Detection as Code platform and get rewarded for your contributions.


SOC Prime Blog: PetitPotam NTLM Relay Attack Detection