PetitPotam…from attack to detection via Microsoft Defender for Identity (MDI)

The attack

My lab setup for the attack is shown below.

PSPKIAudit

Verify vulnerable certificates templates via PSPKIAudit on the Windows 10 machine (I added Everyone with Full Control on the Computer template certificate).

PetitPotam

PetitPotam is a PoC (Proof of Concept) tool which exploits the MS-EFSRPC (Encrypting File System Remote) protocol to force a Windows hosts (WSRV2016-DC02; 192.168.178.11) to authenticate to another host (Kali linux; 192.168.178.49).

NTLMRelayx

Start ntlmrelayx.py and wait for connection to the AD CS (WSRV2016-DC01;192.168.178.10) and a (computer) certificate is requested.

Rubeus

The Base64 certificate can be used to request a TGT (Ticket Granting Ticket) Kerberos ticket.

MimiKatz — DCSync

DCSync is a MimiKatz module to dump the password hashes of all users from the Domain Controller over the network without interactive logon.

MimiKatz — Pass the hash

PTH (Pass-the-hash) is a MimiKatz module to start a command prompt (or /run:powershell.exe will run PowerShell) in the context of the Administrator account with Domain Admin privileges.

Microsoft Defender for Identity

Microsoft Defender for Identity is the Microsoft tool to detect attacks and/or anomalies on the Active Directory like Golden Ticket (forged TGT) or Silver Ticket (forget TGS) attack for example.

Microsoft 365 Defender

Microsoft 365 Defender is the XDR (eXtended Detection and Respond) tool to detect correlated alerts into a single Incident for ease of investigation and (automatic) remediation (AIR).

Mitigation

Remove NTLM authentication from the AD CS CertSrv in IIS (Internet Information Service)

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store