PetitPotam is a new attack technique that can take over or control a whole Windows domain or any targeted enterprise infrastructure or server typically performed through the classic NTLM authentication. One cannot simply exploit PetitPotam into being remoted through the internet; hence it was initially intended to operate within wide corporate networks. By then, threat actors could manipulate and freely conduct illicit operations on these domain controllers to expose and endanger companies’ NTLM authentication certificates and password hashing processes. In conclusion, it could result in the PetitPotam attack invading a whole internal network of many entities.
Lionel Gilles, also known as Topotam, a France-based security researcher, has established a POC or proof-of-concept exploitation tool alongside the SANS Institute’s Internet Storm Center, which has issued a step-by-step narrative of the attack caused by PetitPotam.
Moreover, Microsoft has also described PetitPotam from their published advisory as the classic NTLM Relay Attack and discussed any provided mitigations in the past. With this response from Microsoft, some cybersecurity experts were not precisely pleased since this tech giant has shared their updated advisory and some detailed mitigations that comprise disabling NTLM authentication and authorizing the Extended Protection for Authentication (EPA) feature while disabling HTTP on AD CS.
As stated by Lionel, the attacks caused by PetitPotam are not just a mere system vulnerability issue but a kind of abuse towards its real functionality.
Besides, PetitPotam is capable of authorizing attackers to control an entire domain of Windows, and it could likewise trigger other types of attacks. Many other security experts have quickly begun testing as soon as Lionel’s research has been publicized on Github.
According to Microsoft itself, many Windows servers such as the Windows Server 2008, Server 2012, Server 2016, Server 2019, and server (20H2 and 2004) are impacted by this. From the said advisory of the company, PetitPotam’s information has been publicly available; however, this information was not utilized for attacks.
As posted in their article, the cybersecurity firm Malwarebytes has described attacks from PetitPotam and mentioned that since the patch exploits the legitimate functionality, it is prone to “break stuff” during the patching process. While another security researcher named Remi Escourrou has validated that there has not been any viable research found to block PetitPotam attacks.