Description
A newly uncovered vulnerability in the Windows operating system can be exploited to obtain remote windows servers, including domain controllers, to authenticate with a malicious destination, thereby allowing an adversary to stage an NTLM (Windows NT LAN Manager) relay attack and completely take over a windows domain.
Summary
A hacker can target a domain controller to authenticate against a remote NTLM under a bad actors control using the MS-EFSRPC interface and distributes its authentication data. This is done by connecting to LSARPC (Local Security Authority Remote Protocol), resulting in a scenario where the target server link to an arbitrary server and execute NTLM authentication.
Solution
To safeguard against this line of attack, Microsoft is recommending that customers disable NTLM authentication on the domain controller. If the NTLM cannot be turned off for compatibility reasons, the company is suggesting users take one of the two steps below.
Disable NTLM on any Active Directory Certificate Services in your domain using group policy network security.
Disable NTLM for internet information services on active directory certificate services in the domain running the certificate authority web enrollment or certificate enrollment web service.
For more information on this alert, please follow the URL:
https://thehackernews.com/2021/07/new-petitpotam-ntlm-relay-attack-lets.html
The Guyana National CIRT recommends that users and administrators review this alert and apply updates where necessary.
PDF Download: Microsoft vulnerability affecting Windows Operating System.pdf
References
New PetitPotam NTLM Relay attack on Windows Domain (26th July 2021). Retrieved from thehackernews.com
https://thehackernews.com/2021/07/new-petitpotam-ntlm-relay-attack- lets.html
New PetitPotan NTLM Relay attack on Windows Domain (July 26, 2021). Retrieved from