Microsoft Guidance for Mitigating PetitPotam NTLM Relay Attacks
MS Alert KB5005413
Microsoft has publicly released an alert, KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS), to address a NTLM Relay Attack, designated PetitPotam. The alert is supplied with active mitigation strategies and recommendations for organizations potentially affected by the PetitPotam relay attack.
Pdf version:
Text:
PetitPotam is a novel attack method that can be used to conduct a New Technology LAN Manager (NTLM) relay attack upon targeted organizations. The attack uses the Microsoft Encrypting File System Remote Protocol (EFSRPC) to force a device to authenticate to a remote NTLM relay directly controlled by a threat actor. Once the device authenticates to tthe malicious NTLM server, a threat actor can steal hashes and certificates that can be used to assume the identity of the device and its privileges. This identity theft can be used independently or used in further attacks upon targeted organizations.
Researchers have released a proof-of-concept script for the PetitPotam technique on GitHub that can be used to force a domain controller to authenticate against a remote NTLM relay under an attacker’s control using the MS-EFSRPC API. This proof-of-concept release has a significant impact upon the development time for threat actors, as this code could be utilized to quickly weaponize tools and techniques for attackers in future campaigns.
Note: Please see the Pdf version for full alert details and resource links.
- Related Resources & News
- Health-ISAC Hacking Healthcare 8-26-2024
- What is Threat Intelligence? A Comprehensive Overview
- Why Cybercriminals Target Healthcare Data and How Organisations Can Protect Themselves
- Federal Authorities Work to Boost Health-Care Cybersecurity
- Health-ISAC Hacking Healthcare 8-9-2024
- Health-ISAC Medical Device Blog – VEX
- Podcast: Health-ISAC Featured in Cyberwire Daily episode 2021
- Health-ISAC Hacking Healthcare 8-2-2024
- Protecting Healthcare Organizations with Human-Centric Email Security
- American Hospital Association and Health-ISAC Joint Threat Bulletin