Home » Technology » Microsoft » New PetitPotam Attack Hits Windows Domains

New PetitPotam Attack Hits Windows Domains

PetitPotam attack

A team of security researchers from France has discovered an unrecoverable vulnerability that affects Windows domain controllers and other Windows servers. Microsoft has already published a workaround to mitigate the vulnerability.

A research team from France published a proof-of-concept that shows how vulnerable the domain controller is. It’s about a so-called NTLM relay attack called PetitPotam. This enables threat actors to take over a domain controller and thus an entire Windows domain. After the takeover, an attacker could execute any command and thus effectively take over the Windows domain.

NTLM is a protocol introduced by Microsoft around 30 years ago. Although it has long been known that this protocol has numerous design problems and thus security weaknesses, it is still widely used. There are several steps involved in an NTLM relay attack that exploit the design problems of the protocol. This is exactly what has happened now.

In a conversation with BleepingComputer about the new relay attack method, one of the security researchers said that he does not see the attacks as a security flaw in the strict sense: “In my opinion, this is not a vulnerability, but an abuse of a legitimate function.” The researcher emphasizes that the only way to defuse this technique is to disable NTLM authentication or to enable protection mechanisms such as SMB signing or LDAP signing. The vulnerability cannot be remedied and is activated by default in all Windows environments.

Taking advantage of attenuation

Microsoft has therefore already acted quickly. The security team has published instructions and explanations. It states, “Microsoft is aware of PetitPotam, which can potentially be used to attack Windows domain controllers or other Windows servers. PetitPotam is a classic NTLM relay attack, and Microsoft has seen many of these attacks before Mitigation options to protect customers are documented. “

Windows Server versions from 2008 to 2019 are affected. Users should use Microsoft’s instructions to protect themselves.