Mitigations for PetitPotam Windows NTLM Relay Attack
Microsoft has released mitigations to help users protect systems from the PetitPotam Windows NT LAN Manager (NTLM) relay attack that could make Windows systems reveal password hashes. Microsoft’s recommended mitigation is to disable NTLM authentication on Windows domain controllers.
These last few weeks have provided attackers with a number of interesting new opportunities for lateral movement. PrintNightmare, Summer of SAM, and now PetitPotam are all very applicable and it will likely take months (years?) to completely patch or mitigate them. One more reason to up your detection game for these exploits. Make sure you have relevant indicators covered.
PetitPotam affects Windows Server 2008 through 2019. If you cannot disable NTLM, then make sure you’re either using signing features such as SMB signing or Extended Protection for Authentication (EPA). Also make sure your Active Directory Certificate Services (AD CS) servers are configured to protect against NTLM relay attacks. See Microsoft KP5005413 for mitigations.
The guidance from Microsoft is not new but being highlighted because of a new attack method. Most technology cannot be deployed as is; investment in people and process is required to ensure proper configurations. Same is true with security solutions; people need to follow a process to tune, detect, and respond to attacks.
Read more in
Threatpost: Microsoft Rushes Fix for ‘PetitPotam’ Attack PoC
Bleeping Computer: Microsoft shares mitigations for new PetitPotam NTLM relay attack
The Register: You, too, can be a Windows domain controller and do whatever you like, with this one weird WONTFIX trick
Microsoft: KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS)
MSRC: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS)
GitHub: topotam / PetitPotam