Home
Wifi Tips
Fix Computer
Windows 10
Windows 11
Artificial Intelligence
Space Science
Strange story
What is PetitPotam Attack? How to overcome PetitPotam attack
PetitPotam is a new attack method with the ability to take control of a domain controller and then take over the entire Windows domain.
Recently, French security researcher Gilles Lionel, aka Topotam, has revealed a new attack technique called PetitPotam. This is an NTLM forwarding attack that does not depend on the MS-RPRN API, but uses the EfsRpcOpenFileRaw function of the MS-EFSRPC API.
MS-EFSRPC is Microsoft's Remote System File Encryption Protocol, commonly used to perform maintenance operations and manage encrypted data that is stored remotely and accessed over the network.
According to Lionel, this is not a vulnerability but an abuse of a legitimate feature of the system. PetitPotam not only allows hackers to control the entire Windows domain but also leads to other attacks, Lionel shared.
Soon after Lionel published his research on GitHub, many other security experts embarked on testing. Security researcher Remi Escourrou confirmed that PetitPotam can be used to control the entire Active Directory. In addition, he added that there is practically no way to block PetitPotam.
PetitPotam affects Windows Server 2008 to 2019. According to Microsoft, there is no indication that the PetitPotam attack technique was used by hackers.
Microsoft shares how to fix PetitPotam
In a statement just released, Microsoft acknowledged that organizations can be attacked by PetitPotam. Currently, Microsoft has not yet released a patch, but it advises organizations to take the following measures to minimize the damage caused by PetitPotam:
- Disable NTLM where it is not needed (eg Domain Controller)
- Enable Extended Protection for Authentication to protect login information on Windows computers
However, PetitPotam attacks by abusing the EfsRpcOpenFileRaw function of the MS-EFSRPC API to pass authentication requests, opening the door to other attacks. Microsoft's advice only prevents NTLM forwarding attacks without addressing MS-EFSRPC API abuse. Maybe Microsoft needs to roll out an update to fix this issue.
Security expert Benjamin Delpy said that the mitigation measures that Microsoft offered were not satisfactory. The EFSRPC protocol is not even mentioned.
You've just finished reading the article "What is PetitPotam Attack? How to overcome PetitPotam attack" edited by the TipsMake team. You can save what-is-petitpotam-attack-how-to-overcome-petitpotam-attack.pdf to your computer here to read later or print it out. We hope this article has provided you with many useful tech tips and tricks. You can search for similar articles on tips and guides. Thank you for reading and for following us regularly.
David Pac
- What is a Replay Attack?
- What is Volumetric DDoS Attack?
- What is SS7 attack? What can hackers use it for?
- 5 ways to overcome Dale Carnegie's fear and anxiety
- Analysis of an attack (Part 3)
- What is Smurf Attack? How to prevent Smurf Attack?
- What is BlueSmack attack?
- Warning the emergence of ransomware DDoS attack, the scale can be up to 800Gbps
- What is Teardrop attack?
- What is a Sybil Attack?
- What is Replay Attack? How to Prevent It Effectively
- Train these 7 qualities to overcome all waves
- Phishing attack: The most common techniques used to attack your PC
- What is DDoS ICMP Flood?