Skip to content

PetitPotam relay attack targeting Windows domains

Posted by: GuidePoint Security

< 1 min read

Published 08/05/2021, 9am

Last week researchers announced the discovery of Windows new technology (NT) LAN manager (NTLM) relay attack that enables takeover of a domain controller and other Windows servers. The attack forces a domain controller to authenticate a remote NTLM relay used by the threat actor through the Microsoft Encrypting File System Remote Protocol (EFSRPC). Once the controller is authenticated, the attacker can steal hash and certificates to gain privilege and assume device identity.

Security analysts were quick to point out the severity of the bug, calling it ‘brutal,’ since there was no easy way to block the attack.

Next Steps

Microsoft quickly issued a security advisory, noting that PetitPotam “takes advantage of servers where Active Directory Certificate Services (AD CS) is not configured with protections for NTLM Relay Attacks.” The company recommends that organizations defend against the PetitPotam attack by enabling the mitigation feature known as Extended Protection for Authentication (EPA). Microsoft also recommends disabling NTLM authentication where possible.

Categories: Blog Cybersecurity

GuidePoint Security

Countering The Threat Of Spear-Phishing
With Spear-Phishing, many organizations feel like their tools will help them stop the attacks. This is true at some levels, […]
Download

Related Articles

View All

  • Security Awareness & Education
Countering The Threat Of Spear-Phishing
Read More < 1 min read
  • GRIT Blog
Ongoing report: Babuk2 (Babuk-Bjorka)
Posted by: Ryan Silver
Published 01/29/25, 09:00am
Read More 3 min read
  • GRIT Blog
GRIT 2025 Report: Post-Compromise Detection Strategies
Posted by: Ben MartinMooney
Published 01/28/25, 09:00am
Read More 2 min read