Detecting the New PetitPotam Attack With Exabeam - Exabeam

Detecting the New PetitPotam Attack With Exabeam

Published
September 07, 2021

Author
Hanan Wullman

Recently PetitPotam, a new POC tool  created by researcher Gilles Lionel (@topotam77), was published on GitHub.

PetitPotam forces Windows hosts to authenticate to other machines. With this tool, an attacker can trigger NTLM authentication from the domain controller against a listener computer and then launch an NTLM relay attack. 

This technique is mainly used to seize control of the entire domain by chaining it to an exploit targeting Windows Active Directory Certificate Services (AD CS). In addition, this technique may be used for other attacks like NTLMv1 downgrade and relaying machine accounts on computers where this machine account is a local admin (SCCM, exchange server, are often in this situation for example).

The technique primarily takes advantage of the MS-EFSRPC EfsRpcOpenFileRaw function.

What is an MS-EFSRPC EfsRpcOpenFileRaw function?

MS-EFSRPC is a Remote Procedure Call (RPC) interface that is used to perform maintenance and management operations on encrypted data that is stored remotely and accessed over a network. It is used in Windows to manage files that reside on remote file servers and are encrypted using the Encrypting File System (EFS). EFS allows the NTFS file system to encrypt files on disk in a manner that is transparent to the user.

The EfsRpcOpenFileRaw method is used to open an encrypted object on the server for backup or restore.

Using this function forces the targeted computer to initiate an authentication procedure and share its authentication details via NTLM

Who is vulnerable to it?

PetitPotam can affect Windows Server 2008 to 2019. Most of the time this technique is used to relay SMB authentication to an HTTP certificate enrollment server allowing full take over of the domain controller.
Most vulnerable teams are the ones who are using the Active Directory Certificate Services (AD CS) with any of the following services:

  • Certificate Authority Web Enrollment
  • Certificate Enrollment Web Service

Mitigation

The only way to mitigate this technique is to disable NTLM authentication or enable protections, such as SMB signing, LDAP signing, and channel binding.

The NTLM relay attack according to Microsoft can be mitigated in the same way as other NTLM relay attacks.

Microsoft’s suggestions for mitigations include:

  1. Enabling EPA and disabling HTTP on AD CS servers.
  2. Disabling NTLM authentication where possible. The following mitigations are listed in order from more secure to less secure:
    1. Disable NTLM authentication on your Windows domain controller.
    2. Disable NTLM on any AD CS Servers in your domain using the group policy Network security: Restrict NTLM: Incoming NTLM traffic.
    3. Disable NTLM for Internet Information Services (IIS) on AD CS Servers in your domain running the “Certificate Authority Web Enrollment” or “Certificate Enrollment Web Service” services.


PetitPotam detection by Exabeam

Detection case 1 

If there is an abnormal source IP that checks if it has the access right to write and read data from one of the named pipes lsarpc/efsrpc/lsass/samr/netlogon in the IPC$ share, apply the following:

  • Event Code – 5145
  • ShareName – \\*\IPC$
  • AccessMask – 0x3
  • RelativeTargetName – “lsarpc” OR “efsrpc” or “lsass” OR “samr” or “netlogon”

Detection case 2

The first time an source IP checks if it has the access right to write and read data from one of the named pipes lsarpc/efsrpc/lsass/samr/netlogon in the IPC$ share, apply the following:

  • Event Code – 5145
  • ShareName – \\*\IPC$
  • AccessMask – 0x3
  • RelativeTargetName – “lsarpc” OR “efsrpc” or “lsass” OR “samr” or “netlogon”

Detection case 3

When an anonymous user checks if they have the access rights to write and read data from one of the named pipes lsarpc/efsrpc/lsass/samr/netlogon in the IPC$ share, apply the following:

  • Event Code – 5145
  • ShareName – \\*\IPC$
  • User – Anonymous Logon
  • AccessMask – 0x3
  • RelativeTargetName – “lsarpc” OR “efsrpc” or “lsass” OR “samr” or “netlogon”

Conclusion

PetitPotam is a technique that could have a dramatic impact on a company’s operations if it is used by the attackers. We recommend monitoring for attempts to  access pipes named lsarpc/efsrpc/lsass/samr/netlogon. By using this technique with an exploit targeting Windows AD CS, an adversary could seize control of the entire domain. Organizations can thwart attacks through early detection by monitoring for unusual access.

References

  1. https://github.com/topotam/PetitPotam
  2. https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/08796ba8-01c8-4872-9221-1000ec2eff31
  3. https://www.bleepingcomputer.com/news/microsoft/windows-petitpotam-attacks-can-be-blocked-using-new-method/
Recent Information Security Articles

Five Steps to Effectively Identify Insider Threats

Read More

The Challenges of Today’s CISO: Navigating the Balance of Compliance and Security

Read More

Human Managed Selects Exabeam to Drive Faster Decision-making

Read More

Exabeam Successfully Completes the Annual System and Organization Controls SOC 2 Type II Audit

Read More

Introducing the XDR Alliance!

Read More



Recent Information Security Articles

SIEM Gartner: Get the 2021 Magic Quadrant Report

Read More

Five Steps to Effectively Identify Insider Threats

Read More

Detecting the New PetitPotam Attack With Exabeam

Read More

The Challenges of Today’s CISO: Navigating the Balance of Compliance and Security

Read More

Human Managed Selects Exabeam to Drive Faster Decision-making

Read More