Microsoft Outlines Optimum Defense Against PetitPotam Windows Server NTLM Relay Attack
In a recent security advisory, Microsoft explains that “PetitPotam is a classic NTLM Relay Attack, and such attacks have been previously documented by Microsoft along with numerous mitigation options to protect customers.” These mitigation tactics include disabling NTLM on any Active Directory Certificate Services (AD CS) servers through group policy and disabling NTLM for Internet Information Services (IIS) on AD CS Servers on the domain. This can be done by following the tutorial Microsoft provided in the advisory.
Finally finished testing it, it's quite brutal! Network access to full AD takeover... I really underestimated the impact of NTLM relay on PKI #ESC8 😱The combo with PetitPotam is awesome !— Rémi Escourrou (@remiescourrou) July 22, 2021
Everything is already published to quickly exploit it ... https://t.co/NVe6QJFrx6 pic.twitter.com/q55OyC7dME
As it stands, PetitPotam has not been found in the wild, but that could change rather quickly as word of the attack vector spreads. Other security researchers around the web have indicated how bad this vulnerability is for security, which should be heeded as a warning. Hopefully, a proper fix will come out before this takes off, so stay tuned to HotHardware for updates.