NTLM Relay Attack PetitPotam Targets AD Certificate Services
The PetitPotam attack is a new type of NTLM relay attack that targets the Active Directory Certificate Services (AD CS). This attack exploits the NTLM authentication protocol used in Windows environments to relay authentication requests to a domain controller and gain unauthorized access to AD CS. In this blog, we will discuss the PetitPotam attack and how Vijilan Security can help organizations protect against this attack.
What is the PetitPotam attack?
This attack is a new variant of NTLM relay attacks that was discovered in July 2021. This attack exploits a vulnerability in the MS-EFSRPC (Encrypting File System Remote Protocol) protocol used by the Active Directory Certificate Services (AD CS) to force a Windows domain controller to authenticate with an attacker-controlled server.
The attacker can then use this authentication to execute various actions, including stealing domain controller data, creating new domain users, or generating fake SSL/TLS certificates. In essence, the PetitPotam attack allows an attacker to take control of a domain controller and perform malicious activities.
How does Vijilan Security help protect against the PetitPotam attack?
Vijilan Security offers a comprehensive suite of security solutions that can help organizations protect against the PetitPotam attack. Our team of security experts can work with organizations to implement security best practices, including:
- Disable NTLM authentication
The PetitPotam attack exploits the NTLM authentication protocol, which is an outdated and insecure protocol. Vijilan Security can help organizations disable NTLM authentication and switch to more secure authentication protocols like Kerberos.
- Implement Secure RPC
Secure RPC is a Microsoft-recommended security measure that protects against NTLM relay attacks. Vijilan Security can help organizations implement Secure RPC and ensure that all Active Directory Certificate Services (AD CS) servers are configured correctly.
- Implement Firewall Rules
Vijilan Security can help organizations implement firewall rules that restrict access to the AD CS servers. This ensures that only authorized users and devices can access the servers, reducing the risk of unauthorized access.
- Implement Intrusion Detection Systems
Intrusion Detection Systems (IDS) can help detect and alert organizations to potential PetitPotam attacks. Vijilan Security can help organizations implement IDS and monitor network traffic to detect and respond to attacks quickly.
Conclusion
The PetitPotam attack is a new type of NTLM relay attack that targets Active Directory Certificate Services (AD CS). This attack can be devastating for organizations, as it allows attackers to gain unauthorized access to domain controllers and perform malicious activities.
At Vijilan Security, we understand the importance of securing organizations’ digital assets against evolving cyber threats like the PetitPotam attack. Our team of security experts can work with organizations to implement security best practices and ensure that they are protected against this attack. Contact us today to learn more about our security solutions and how we can help secure your organization’s digital assets.
