Maximize your protection, eliminate business risks.
Optimize and modernize with cloud transformation.
Empower your people to work securely from anywhere.
Let us handle IT so you can focus on growing your business.
Get multichannel 24/7/365 expert end-user support.
Stay ahead of attacks with 24/7 protection and monitoring.
Maximize uptime with with industry-leading DRaaS.
Improve efficiency, productivity and outcomes with cloud.
Ensure all mobile devices, everywhere, are secure.
Gain a competitive edge with strategic IT solutions.
This battle-tested checklist enables your team to swiftly initiate a ransomware response.
IT for businesses of all sizes, in any industry.
Empower institution growth with custom IT solutions.
Ensure your firm is always in compliance.
Improve patient care and staff morale.
Deal with pressing legal matters, not IT.
Keep up with the evolving digital landscape.
Focus on your mission by outsourcing IT.
Accelerate PE client deals and secure data.
Leverage your technology as a strategic asset.
Execute initiatives and develop IT strategies.
Get the latest industry insights and trends.
Join us at events in person and online.
Hear from clients and learn more about strategic IT.
See how Dataprise can make IT your greatest asset.
Get informative technical resources from IT experts.
Stay on stop of emerging cybersecurity threats.
Discover the key areas of DR your organization needs to address to ensure downtime is minimized.
Gain a strategic asset by bringing harmony to IT.
Ensure 24/7 support and security with dedicated teams.
Drive business forward by partnering with Dataprise.
Meet our one-of-a-kind leadership team.
Discover the recognition Dataprise has earned.
Help us help businesses with strategic IT.
Embracing different perspectives and backgrounds.
Find a Dataprise location near you.
Dataprise is committed to empowering more women to consider a career in technology.
Posts
By: Dataprise
Table of content
On July 23rd, French researcher Gilles Lionel (aka Topotam) revealed a new exploit technique called “PetitPotam” that modifies a previously discovered exploit in the Windows Print Spooler to allow attackers to exploit vulnerable Windows Servers without the Microsoft Print System Remote Protocol (MS-RPRN) API. Lionel’s new variant of the print spooler attack forces a server with a Print Spooler service to authenticate against an NTLM relay by exploiting a function in Microsoft’s Encrypting File System Remote Protocol (MS-EFSRPC API) which is a protocol used for maintenance and management operations on encrypted data that is stored remotely to be accessed over a network. The MS-EFSRPC API is enabled by default on all Windows machines, and disabling the MS-EFS service will not prevent this attack from being successful.
A malicious actor could exploit this feature to gain full control of a Microsoft Windows Domain Controller and the entire Windows Domain. Lionel, in an interview with Bleeping Computer, said that he does not see this as a vulnerability but rather the abuse of a legitimate function.
There is proof of concept (POC) code available in Github so this exploit is considered Critical.
Gaining full control of a Windows Domain Controller would grant access to every device, database, folder and file on the entire network, putting the entire network at risk.
This attack relies on a legitimate function native to Microsoft Windows Systems (MS-EFSRPC) and is not necessarily viewed as a vulnerability. By leveraging the EfsRPCOpenFileRAW function of the MS-EFSRPC API, a malicious actor could deploy a script that can be used to authenticate remotely by utilizing the NTLM protocol, to a Windows server using Active Directory. This could allow attackers to gain control of the server, allowing them to leverage the MS-EFSRPC API. In addition to the attack relaying SMB authentication to an HTTP certificate enrollment server, this exploit could be used for other attacks like an NTLMv1 downgrade and relaying machine account on computers where this machine account is local admin (e.g. SCCM and Exchange servers are often in this situation).
According to the proof-of-concept code on Github, the code will call the DLL file rpcrt4.dll, also known as the Remote Procedure Call Runtime. Within this DLL (Dynamic Link Library), the EfsRPCOpenFileRAW function is called:
Function in the C Programming Language:
Calling the function in Python Script:
Microsoft has released an advisory on the PetitPotam exploit with the following information:
You are potentially vulnerable to this attack if NTLM authentication is enabled in your domain and you are using Active Directory Certificate Services (AD CS) with any of the following services:
No indicators are available at this time.
Since this exploit relies on a legitimate function, at this point there are no verified methods to prevent the abuse of the EfsRpcOpenFileRaw function in the MS-EFSRPC API. What you can do is “harden the HTTP service of the PKI to avoid the NTLM relay.”
Stopping the EFS Service alone will not prevent the exploit.
Unfortunately, because this attack method uses a valid function in a valid API, Microsoft will not release any patch to prevent the PetitPotam exploit. It is recommended that you use the mitigation steps provided by Benjamin Delpy, the creator of mimikatz, below to prevent the NTLM relay, or disable NTLM altogether and use Kerberos.
INSIGHTS
Subscribe to our blog to learn about the latest IT trends and technology best practices.