PetitPotam Attack – Have You Hardened Your Active Directory?
Written by: Venu Vissamsetty – VP Security Research, Attivo Networks – Security researcher Gilles Lionel recently disclosed an attack technique named PetitPotam, allowing attackers to achieve domain compromise with just network access to the Enterprise infrastructure. The technique is a classic NTLM relay attack on any offered server services (e.g., a domain controller). Lionel also released proof-of-concept code on GitHub, demonstrating how attackers can use this specific attack technique to achieve domain compromise. Several other security researchers confirmed the severity and impact of this attack technique soon afterward.
As per the Microsoft advisory, customers are vulnerable to this attack if they are using Active Directory Certificate Servers (AD CS) with any of the following services:
- Certificate Authority Web Enrollment
- Certificate Enrollment Web Service
The technique forces a domain controller to authenticate against a malicious NTLM relay (using the MS-EFSRPC protocol), allowing attackers to obtain the NTLM credentials for the DC, which they then send to the domain’s Active Directory Certificate Services through HTTP. The attacker will eventually obtain a Kerberos ticket-granting ticket (TGT) that would allow them to take the identity of any device on the network, even a domain controller, leading to domain compromise.
With attack techniques such as these, it becomes increasingly important to continuously monitor for misconfigurations, exposures, and use of legacy protocols in an Active Directory.
Attackers targeting PetitiPotam attack discover servers running AD CS with Web enrollment.
Attivo customers can use the ADSecure solution’s capability to:
- Detect attackers early in the attack cycle as they conduct discovery activities to find servers
- Redirect attackers by hiding actual results and returning fake information leading to decoy servers
- Get real-time visibility into attempts to discover domain controllers through unauthorized queries
The Attivo ADSecure solution also protects against attackers exploiting this vulnerability to generate a Golden Ticket attack.
The Attivo ADAssessor solution provides visibility into critical domain-, computer-, and user-level exposures and weak configurations. “Weak SMB Signing” exposure detection in ADAssessor is a Domain level exposure that looks at the SMB configuration in the Domain. This exposure will detect and highlight if the Domain does not have SMB signing configured. Attivo customers who have deployed the ADAssessor solution and have taken measures to remediate are protected from this PetitPotam technique. The following screenshot details how Attivo ADAssessor would report the exposure due to “Weak SMB Signing” and the related remediation recommendations.
There are additional ways to prevent attackers from using this specific technique in the enterprise:
There have been multiple attack and vulnerability disclosures around Microsoft Active Directory lately. A continuous assessment of exposures and misconfigurations around Active Directory would go a long way in ensuring attackers don’t leverage these in an organization’s infrastructure. Get a free assessment using the Attivo ADAssessor here.
Free Active Directory Assessment
Get Visibility Into Privilege And Service Account Exposure
For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.
Try Our Endpoint Detection Net (EDN) for Free
FAST AND EASY
Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.
ADSecure 90-Day Free Trial
GET PROTECTION AGAINST UNAUTHORIZED ACCESS TO ACTIVE DIRECTORY
- Hide and deny access to AD objects
- Get alerted on unauthorized queries
- Attack details easily viewable in dashboard
- Your data remains on-premise