Analytics Story: PetitPotam NTLM Relay on Active Directory Certificate Services

Description

PetitPotam (CVE-2021-36942,) is a vulnerablity identified in Microsofts EFSRPC Protocol that can allow an unauthenticated account to escalate privileges to domain administrator given the right circumstances.

Why it matters

In June 2021, security researchers at SpecterOps released a blog post and white paper detailing several potential attack vectors against Active Directory Certificated Services (ADCS). ADCS is a Microsoft product that implements Public Key Infrastrucutre (PKI) functionality and can be used by organizations to provide and manage digital certiticates within Active Directory.\ In July 2021, a security researcher released PetitPotam, a tool that allows attackers to coerce Windows systems into authenticating to arbitrary endpoints.\ Combining PetitPotam with the identified ADCS attack vectors allows attackers to escalate privileges from an unauthenticated anonymous user to full domain admin privileges.

Detections

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
Windows Event Log Security 4768	Windows	xmlwineventlog	XmlWinEventLog:Security
Windows Event Log Security 5145	Windows	xmlwineventlog	XmlWinEventLog:Security

References

• https://us-cert.cisa.gov/ncas/current-activity/2021/07/27/microsoft-releases-guidance-mitigating-petitpotam-ntlm-relay
• https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429
• https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf
• https://github.com/topotam/PetitPotam/
• https://github.com/gentilkiwi/mimikatz/releases/tag/2.2.0-20210723
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942
• https://attack.mitre.org/techniques/T1187/

Source: GitHub | Version: 1