Using Coerced Authentication Attempts to Compromise a Domain

Written by: John Hancock

Our testing has shown that attack paths using PetitPotam are becoming increasingly common. These attacks coerce authentication attempts from a domain controller which attackers can use to relay to services like Active Directory Certificate Services (AD CS). With this, attackers can easily go from a standard user account to completely compromising the domain in a short time period.

PetitPotam works by exploiting flaws in the Encrypting File System Remote (EFSRPC) Protocol to coerce the target machine to authenticate to other systems on the network, allowing an attacker to capture an NTLM hash and potentially relay it elsewhere. Other similar techniques exist, such as ShadowCoerce and PrinterBug, which target other protocols, but the end result is the same.

What makes this technique powerful compared to other methods for NTLM relays is that this requires no external interactions. There’s no waiting around for a machine on the network to decide to authenticate, and it’s not dependent on who’s active on the network.

One common way this is used in our testing is in combination with AD CS. The ESC8 vulnerability relies on relaying the coerced hash to the web enrollment server, which does not verify signing. The only other requirement is that one of the enabled certificate templates allows for client authentication. Luckily, the configuration provided out of the box by Microsoft has this enabled by default. So, if these default templates weren’t disabled, or if they were copied as a base for other templates, they may still have these features enabled. Using this, an attacker can request a certificate that can be used much like a password on the network and compromise the domain.

Remediation and Prevention

Microsoft has partially patched PetitPotam. However, this only prevents the attack from unauthenticated sources. Once an attacker compromises any credentials on your network, they’re still able to perform this attack and potentially use it to elevate permissions.

As security professionals continue to discover similar types of attacks, the best way to prevent an attack of this nature is to ensure there’s nowhere to relay these authentication attempts. Guidance from Microsoft to mitigate an NTLM Relay Attack against AD CS can be found in KB5005413. Additionally, ensuring SMB signing is enabled throughout your network can help protect other systems and services. Some detection methods have been proposed, but these should not be solely relied on where possible as they only work for this specific technique.