Security researcher Gilles Lionel has discovered a new NTLM relay attack which allows hackers to take over Windows domains, and this security flaw, called PetiPotam, in the Windows operating system can be exploited to force remote Windows servers, including domain controllers, to authenticate with a malicious target, allowing an adversary to stage an NTLM relay attack and completely take over a Windows domain.
While PetiPotam is not the first NTLM relay attack, it is different in the function it exploits. The previously discovered attack method exploited the Windows MS-RPRN Printing API. However, what is similar in both attacks is that the exploited services are enabled by default. Although, after the discovery of the first attack, many organizations disabled MS-RPRN as a mitigation. But the new attack method has re-emerged as a threat.
Microsoft explained that executing this attack requires the adversary to have the domain credentials of the target network. Additionally, to mitigate this threat, Microsoft recommended disabling NTLM when not necessary. Although, in doing so, you run the risk of breaking the environments so it is either one or the other.
Also read:
Windows 10 vulnerabilities that have been highlighted
AvosLocker new threat against Windows
