Analytics Story: PetitPotam NTLM Relay on Active Directory Certificate Services
Description
PetitPotam (CVE-2021-36942,) is a vulnerablity identified in Microsofts EFSRPC Protocol that can allow an unauthenticated account to escalate privileges to domain administrator given the right circumstances.
Why it matters
In June 2021, security researchers at SpecterOps released a blog post and white paper detailing several potential attack vectors against Active Directory Certificated Services (ADCS). ADCS is a Microsoft product that implements Public Key Infrastrucutre (PKI) functionality and can be used by organizations to provide and manage digital certiticates within Active Directory.\ In July 2021, a security researcher released PetitPotam, a tool that allows attackers to coerce Windows systems into authenticating to arbitrary endpoints.\ Combining PetitPotam with the identified ADCS attack vectors allows attackers to escalate privileges from an unauthenticated anonymous user to full domain admin privileges.
Detections
Name | Technique | Type |
---|---|---|
PetitPotam Network Share Access Request | Forced Authentication | TTP |
PetitPotam Suspicious Kerberos TGT Request | OS Credential Dumping | TTP |
Data Sources
Name | Platform | Sourcetype | Source |
---|---|---|---|
Windows Event Log Security 4768 | Windows | xmlwineventlog |
XmlWinEventLog:Security |
Windows Event Log Security 5145 | Windows | xmlwineventlog |
XmlWinEventLog:Security |
References
- https://us-cert.cisa.gov/ncas/current-activity/2021/07/27/microsoft-releases-guidance-mitigating-petitpotam-ntlm-relay
- https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429
- https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf
- https://github.com/topotam/PetitPotam/
- https://github.com/gentilkiwi/mimikatz/releases/tag/2.2.0-20210723
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942
- https://attack.mitre.org/techniques/T1187/
Source: GitHub | Version: 1