Threat Intel: PetitPotam Certificate Enrollment Web Service on Domain Controller

e1e6e9f0-1825-4f22-ab9a-f1a238843c01

PetitPotam abuses the Encrypting File System (MS-EFSRPC) protocol, which is designed for performing maintenance and management operations on encrypted data that is stored remotely and accessed over a network. An unauthenticated attacker can use PetitPotam to get a targeted server to connect to their server and perform NTLM authentication.

https://www.bleepingcomputer.com/news/microsoft/new-petitpotam-attack-allows-take-over-of-windows-domains/
https://thehackernews.com/2021/07/new-petitpotam-ntlm-relay-attack-lets.html
https://twitter.com/gentilkiwi/status/1418700887195795456
https://support.microsoft.com/en-gb/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429
https://github.com/gentilkiwi/mimikatz/releases

Remediation

Security Researchers and Microsoft recommend that on Windows Server Domain Controllers, the Windows feature "Certificate Enrollment Web Service" is removed since it is not needed in most cases and represent a security risk

https://support.microsoft.com/en-gb/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429



domaincontroller
threat-intel