Microsoft presents an optimal defense against the NTLM Windows Server relay attack by PetitPotam


Hackers and threat actors are constantly looking for new ways to breach systems for cybersecurity research or exploitation, respectively. Fortunately, French researcher Gilles Lionel came first to an NTLM relay attack, nicknamed PetitPotam. Now Microsoft has released a mitigation technique that IT administrators should implement to stay secure.

Last week, information about PetitPotam was published on GitHub by French cybersecurity researcher Gilles Lionel. Lionel discovered that, thanks to a tool he had created, it was possible “to force Windows hosts to authenticate to other machines via the MS-EFSRPC EfsRpcOpenFileRaw function”. Simply put, an attacker could use the program to extract credentials and NTLM certificates from a remote Windows server and then take over.

In a recent safety notice, Microsoft explains that “PetitPotam is a classic NTLM relay attack, and such attacks have already been documented by Microsoft with many mitigation options to protect customers. These mitigation tactics include disabling NTLM on all Active Directory Certificate Services (AD CS) servers through Group Policy and disabling NTLM for Internet Information Services (IIS) on AD CS servers in the domain. This can be done by following the Microsoft tutorial provided in the advisory.

As it stands, PetitPotam has not been found in the wild, but that could change quite quickly as news of the attack vector spreads. Other web security researchers have commented on how bad this vulnerability is for security, which should be taken as a warning. Hopefully a suitable fix will be released before this takes off, so stay tuned for HotHardware for updates.

Leave A Reply

Your email address will not be published.