--> A PetitPotam attack now enables taking over Windows domains

A PetitPotam attack now permits taking over Windows domains

An new NTLM Relay Attack dubbed PetitPotam has just been found, which may enable an attacker to take over an entire Windows domain.

PetitPotam Attack

According to a report by the French security researcher GILLES Lionel (also known as Topotam), a new method named “PetitPotam” allows hackers to utilize the NTLM Relay Attack by exploiting the EfsRpcOpenFileRaw function of the MS-EFSRPC API.

For those who don’t know, MS-EFSRPC is Microsoft’s Encrypting File System Remote Protocol that allows for maintenance and administration activities on encrypted data that is stored remotely and accessible via a network.

A proof-of-concept script for the PetitPotam method that uses the MS-EFSRPC API to launch an attack and manipulate the domain controller’s NTLM logon credential has been released by Lionel on GitHub in relation to the discovery.  

According to the details that have been revealed, an attacker may exploit the RpcRemoteFindFirstPrinterChangeNotification function of the MS-RPRN printing API to force the system to perform the authentication to a remote server.

A blog article on Thehacker.recipes explains that, by using a particular RPC call, an attacker that manages a domain user/computer may activate the spooler service of a target, executing it, thereby authenticating it to a target of the attacker’s choice. The successful attack may give the attacker full control of the domain controller, which grants them access to the Windows domain. Microsoft’s Print Spooler is a service managing different printing tasks, such as the print jobs and other associated activities.

The researcher has also claimed that, aside from taking over the domain controller, this PetitPotam method might be used for additional attacks such as downgrading NTLMv1 and relaying machine accounts on computers where this machine account is a local administrator.

In relation to the disclosure of the attack, many companies have deactivated MS-RPRN as a means of blocking the attack vector. Microsoft has also taken measures to mitigate the attacks and has issued a warning on PetitPotam and NTML Relay Attacks. The company is encouraging all network operators to use the recommended official measures published in the advisory to protect against the issue.


About the author

Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment