Threat Intel: PetitPotam NTLM Relay Attack: Disable NTLM Incoming Traffic on DCs

744b05b3-e1aa-47d0-b4ca-0d327bd6ab3d

PetitPotam abuses the Encrypting File System (MS-EFSRPC) protocol, which is designed for performing maintenance and management operations on encrypted data that is stored remotely and accessed over a network. An unauthenticated attacker can use PetitPotam to get a targeted server to connect to their server and perform NTLM authentication.

https://www.bleepingcomputer.com/news/microsoft/new-petitpotam-attack-allows-take-over-of-windows-domains/
https://thehackernews.com/2021/07/new-petitpotam-ntlm-relay-attack-lets.html

Remediation

Microsoft has provided more detailed mitigation instructions in a separate KB article, KB5005413. Microsoft's "preferred mitigation" is disabling NTLM authentication on a Windows domain controller.

Keep in mind that disabling NTLM authentication may break legacy apps or connections to older versions of Windows, as such some testing is recommended.

KB50005413: https://support.microsoft.com/en-gb/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429

GroupPolicy Editor: Local Computer Policy / Computer Configuration / Windows Settings / Security Settings / Local Policies / Security Options / Network Security: Restrict NTLM: Incomming NTLM traffic [Set to:] Deny all accounts



domaincontroller
threat-intel