Published on: 28 July 2021
Microsoft released a security advisory to address a NTLM relay attack named PetitPotam on Windows domain controllers or other Windows servers. To execute the attack, an attacker would need to have domain credentials on the network.
Reports indicate that a proof-of-concept (PoC) code for a NTLM Relay Attack named PetitPotam is publicly available. PetitPotam allows attackers to trigger remote code execution, elevation of privilege, spoofing and take control of an affected system. Patches are not yet to be available but Microsoft has provided a security advisory with mitigation options. System administrators are advised to observe the advisory and immediately apply the recommended options to mitigate the elevated risk of cyber attacks.
A successful exploitation could lead to remote code execution, elevation of privilege, spoofing and take control of an affected system.
On 28 July 2021, patches for the affected products are not yet available. System administrators should check if NTLM authentication is enabled and Active Directory Certificate Services (AD CS) is used with Certificate Authority Web Enrollment or Certificate Enrollment Web Service. Details of the mitigation options could be found at the following URL:
https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429