Threat Intel: PetitPotam NTLM Relay Attack: Disable NTLM Incoming Traffic on DCs


PetitPotam abuses the Encrypting File System (MS-EFSRPC) protocol, which is designed for performing maintenance and management operations on encrypted data that is stored remotely and accessed over a network. An unauthenticated attacker can use PetitPotam to get a targeted server to connect to their server and perform NTLM authentication.


Microsoft has provided more detailed mitigation instructions in a separate KB article, KB5005413. Microsoft's "preferred mitigation" is disabling NTLM authentication on a Windows domain controller.

Keep in mind that disabling NTLM authentication may break legacy apps or connections to older versions of Windows, as such some testing is recommended.


GroupPolicy Editor: Local Computer Policy / Computer Configuration / Windows Settings / Security Settings / Local Policies / Security Options / Network Security: Restrict NTLM: Incomming NTLM traffic [Set to:] Deny all accounts