[German]Security researchers recently disclosed a new attack vector called PetitPotam. By means of an NTLM relay attack, any Windows domain controller can be taken over. In the meantime, Microsoft has responded and published a security advisory about this security issue. But there is a second proposal from security researchers to block the attack via RPC filters. But this proposal is not a universal solution.
The PetitPotam attack
DFrench security researcher Gilles Lionel (alias Topotam) had published a proof of concept (PoC) in July 2021 for exploiting an NTLM relay attack that can take over Windows Domain Controllers. Security researchers had come across a method to force a domain controller to authenticate to a malicious NTLM relay. The allows then to forward the request over HTTP to a domain's Active Directory certificate services. Ultimately, the attacker obtains a Kerberos ticket (TGT) that could be used to assume the identity of any device on the network, including a domain controller.
I had reported about this in the post PetitPotam attack allows Windows domain takeover. A day later, Microsoft confirmed this attack scenario, which affects virtually all server operating systems from Windows Server 2008 to Windows Server 20H2. At the same time, Microsoft makes suggestions on how this vulnerability can be mitigated by administrators. Domain administrators need to ensure that services that allow NTLM authentication use protections such as Extended Protection for Authentication (EPA) or signing capabilities such as SMB signing. I had reported the details in the Microsoft blog post Microsoft's mitigations of Windows PetitPotam NTLM relay attacks.
Block PetitPotam attacks with NETSH fitters
Over the weekend, I had already read the following information from Benjamin Delpy on Twitter about how to block MS-EFSR PetitPotam calls via RPC filters. raigKirby had pointed out this possibility in question.
However, this filtering technique said nothing to me and it was unclear to me whether something went there with on-board means. However, Delpy must have been in contact with the colleagues at Bleeping Computer, who addressed the issue in this post. Delpy suggests the following NETSH-RPC filter, which blocks remote access to the MS-EFSRPC API, effectively blocking the unauthenticated PetitPotam attack vector. To do this, save the following instructions to a block_efsr.txt file on the administrator account desktop.
rpc filter add rule layer=um actiontype=block add condition field=if_uuid matchtype=equal data=c681d488-d850-11d0-8c52-00c04fd90f7e add filter add rule layer=um actiontype=block add condition field=if_uuid matchtype=equal data=df1941c5-fe89-4e79-bf10-463657acf44d add filter quit
Then open an administrative command prompt and run the following command to import the filter:
netsh -f %userprofile%\desktop\block_efsr.txt
If an administrator then runs the following command in an administrative command prompt as a check, the two filters shown below should be displayed.
netsh rpc filter show filter
With these filters, a PetitPotam attack should no longer work, while EFS will still be able to be used normally on the system. Security researcher Will Dormann confirms in this tweet, that this filtering works.
However, it is important to note that this only blocks remote attacks. French security researcher Gilles Lionel (alias Topotam) points out the issue in this tweet.
At this point, however, it is unclear to me how well the RPC filter now protects, because the attacker already needs access to the domain. If Microsoft ever fixes the API to block this attack vector, this filter can be removed with the following command in an administrative prompt:
netsh rpc filter delete filter filterkey=[key]
Maybe it will help you anyway.
Cookies helps to fund this blog: Cookie settings