Representative offices: 

Request callback

Detecting and Mitigating NTLM Relay Attacks Targeting Microsoft Domain Controllers

Articles and reviews

Adversaries often exploit outdated protocols to infiltrate an organization's work environment. But, despite the already known vulnerabilities of such protocols as Windows NTLM, they are still widely used in corporate networks.

One of the latest major variations of the NTLM relay attack is the combination of the PetitPotam vulnerability with AD-CS relay, which according to research group CrowdStrike Identity Protection is highly popular.While the latest Microsoft security update — released on Patch Tuesday, May 10, 2022 — included a patch for the aforementioned vulnerability, it does not fully mitigate the issue. It does, however, change the requirements from being able to run the attack unauthenticated, to requiring any Active Directory account credentials to trigger the attack .

We invite you to take a detailed look at the fixes, find out what issues remain unsolved, and learn about improvements to Falcon Identity Protection existing NTLM relay detection, which detects exploitation of the PetitPotam vulnerability and similar authentication coercion techniques.

PetitPotam and NTLM Relay

NTLM relay has always been a popular attack technique. In the past, the biggest challenge was to solicit a user account to authenticate to an attacker-controlled machine; now it seems that endpoint authentication coercion mechanisms are gaining popularity.

The most popular targets, for obvious reasons, are domain controllers, as their high privileges make them a lucrative target for authentication relay attacks. The first authentication coercion mechanism involved the Print Spoolerservice, while the newer one relies on the MS-EFSRPC protocol. The latter is also known as the PetitPotam attack. When combined with the insecure default configuration of the Active Directory Certificate Services (AD-CS), which does not enforce Extended Protection for Authentication (EPA), it could be deadly as it can lead to a full domain compromise in a few steps. An attacker could trigger a domain controller authentication by exploiting the PetitPotam vulnerability and relaying it to the AD-CS server to request a certificate for the domain controller account. Using this certificate, a malicious actor can then retrieve a TGT for the relayed domain controller account and perform any further operations using its high privileges (e.g., dump domain admin hashes).

One of the most severe issues with the PetitPotam vulnerability, prior to Microsoft’s latest security updates, was that an attacker could run the attack unauthenticated (i.e., only network access to the domain controller was required). The patch only partially mitigates the issue,meaning an attack is still possible.

The Released Fix(es) and Remaining Issues

The Microsoft security update released on Patch Tuesday, May 10, 2022, included a partial patch for the PetitPotam vulnerability. This update, however, also caused authentication failures for various Windows services such as Network Policy Server (NPS), Routing and Remote Access Service (RRAS), Radius, Extensible Authentication Protocol (EAP) and Protected Extensible Authentication Protocol (PEAP). According to Microsoft, “An issue has been found related to how the mapping of certificates to machine accounts is being handled by the domain controller.”

As a workaround, Microsoft recommended to manually map certificates to Active Directory accounts or follow KB5014754 for other possible mitigations. Because of the issues caused by the patch, CISA warned against deploying it on domain controllers, which left many organizations wide open to the unauthenticated PetitPotam authentication coercion attack. On May 19, 2022, an out-of-band update was made available to fix the authentication failures caused by the latest security update.

It is important to note that the security update states, “This security update detects anonymous connection attempts in LSARPC and disallows it,” which leaves the question: Does the coercion attack still work using an authenticated user?

Following some testing, it looks like the answer is yes!

While the PetitPotam vulnerability, when patched, will no longer work unauthenticated, it can still be abused by leveraging any Active Directory account credentials to trigger domain controller NTLM authentication, which can be relayed to a escalate to domain admin privileges if the required security settings are not enforced (as previously mentioned, EPA is not enforced by default on AD-CS servers).

Moreover, PetitPotam is no longer the newest authentication coercion method; the attack tool DFSCoerce, which abuses the MS-DFSNM protocol to trigger domain controller authentication, has since been released.

Enhancing CrowdStrike Identity Protection NTLM Relay Detection

Because an authenticated user can still trigger an NTLM authentication from the domain controller, the NTLM relay attack vector remains relevant for domain controller accounts. This is why the NTLM relay detection capability of CrowdStrike Falcon Identity Threat Protection was enhanced to detect attempts to perform NTLM relay using domain controller credentials. The benefit of this detection is that it is not tied to any single authentication coercion method, but will detect a relay attack no matter if it is initiated by the PetitPotamvulnerability, the newer DFSCoerce tool or any coercion mechanism discovered in the future.

Additional Mitigations

Though patching is an important first step against the latest NTLM relay vulnerabilities, it is not enough, as many unsecured defaults can leave your domain vulnerable. This is why we recommend following these steps:

  1. Enforce Signing (SMB/LDAP) and Extended Protection for Authentication (EPA) for all relevant servers, especially the AD-CS servers, which are a common target of this attack.
  2. Track any failed/successful NTLM relay attempts performed in your domain network. Using the enhanced detection capabilities of the CrowdStrike Falcon Identity Threat Protection, customers can now be alerted on NTLM relay attacks abusing domain controller accounts.
  3. Disable NTLM. Because this is a potentially breaking change that requires a lot of time in most environments, start by disabling NTLM support on servers that may be targeted during a relay attack and are not sufficiently protected. For example, if for any reason you are unable to enforce EPA on the AD-CS server, disable incoming NTLM on that server to protect it from NTLM relay attacks.

A reliable solution for the protection of end devices and credentials will give you peace of mind and confidence in the security of valuable corporate information. If you need help in selecting and implementing an effective cyber security solution, the experienced experts of iIT Distribution will help with this issue. iIT Distribution is the official distributor of CrowdStrike solutions in the territories of Ukraine, Kazakhstan, Georgia and Uzbekistan.


Mobile Marketing