Written by: Venu Vissamsetty – VP Security Research, Attivo Networks – Security researcher Gilles Lionel recently disclosed an attack technique named PetitPotam, allowing attackers to achieve domain compromise with just network access to the Enterprise infrastructure. The technique is a classic NTLM relay attack on any offered server services (e.g., a domain controller). Lionel also released proof-of-concept code on GitHub, demonstrating how attackers can use this specific attack technique to achieve domain compromise. Several other security researchers confirmed the severity and impact of this attack technique soon afterward.
As per the Microsoft advisory, customers are vulnerable to this attack if they are using Active Directory Certificate Servers (AD CS) with any of the following services:
- Certificate Authority Web Enrollment
- Certificate Enrollment Web Service
The technique forces a domain controller to authenticate against a malicious NTLM relay (using the MS-EFSRPC protocol), allowing attackers to obtain the NTLM credentials for the DC, which they then send to the domain’s Active Directory Certificate Services through HTTP. The attacker will eventually obtain a Kerberos ticket-granting ticket (TGT) that would allow them to take the identity of any device on the network, even a domain controller, leading to domain compromise.
With attack techniques such as these, it becomes increasingly important to continuously monitor for misconfigurations, exposures, and use of legacy protocols in an Active Directory.
Attackers targeting PetitiPotam attack discover servers running AD CS with Web enrollment.
Attivo customers can use the ADSecure solution’s capability to:
- Detect attackers early in the attack cycle as they conduct discovery activities to find servers
- Redirect attackers by hiding actual results and returning fake information leading to decoy servers
- Get real-time visibility into attempts to discover domain controllers through unauthorized queries
The Attivo ADSecure solution also protects against attackers exploiting this vulnerability to generate a Golden Ticket attack.
The Attivo ADAssessor solution provides visibility into critical domain-, computer-, and user-level exposures and weak configurations. “Weak SMB Signing” exposure detection in ADAssessor is a Domain level exposure that looks at the SMB configuration in the Domain. This exposure will detect and highlight if the Domain does not have SMB signing configured. Attivo customers who have deployed the ADAssessor solution and have taken measures to remediate are protected from this PetitPotam technique. The following screenshot details how Attivo ADAssessor would report the exposure due to “Weak SMB Signing” and the related remediation recommendations.
There are additional ways to prevent attackers from using this specific technique in the enterprise:
There have been multiple attack and vulnerability disclosures around Microsoft Active Directory lately. A continuous assessment of exposures and misconfigurations around Active Directory would go a long way in ensuring attackers don’t leverage these in an organization’s infrastructure. Get a free assessment using the Attivo ADAssessor here.