Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS) – ADV210003 – KB5005413 – PetitPotam

Updates

  • 2021-08-06 – Added recommendations to protect DC’s

This advisory is related to the recent Certified Pre-Owned whitepaper discussing the possible abuse of the Active Directory Certificate Services AD CS role in combination with Credentials Relay Attacks such as MS-RPRN and the more recent MS-EFSRPC aka PetitPotam.

The MS-EFSRPC protocol can be used to coerce any Windows host including Domain Controllers to authenticate to a specific destination. The designated destination then forwards the NTLM credentials to another service that is configured to accept WIA/NTLM resulting in an abuse of the services.

An attacker can target a Domain Controller to send its credentials by using the MS-EFSRPC protocol and then relaying the DC NTLM credentials to the Active Directory Certificate Services AD CS Web Enrollment pages to enroll a DC certificate. This will effectively give the attacker an authentication certificate that can be used to access domain services as a DC and compromise the entire domain.

AD CS is especially interesting as it offers role services that by default accept NTLM based authentication. The Certificate Authority Web Enrollment and the Certificate Enrollment Web Service can be abused to issue certificates by performing NTLM Relay Attacks using MS-EFSRPC, MS-RPRN or other API that offer a smilar behavior.

Microsoft has released ADV210003 and KB5005413 in response to the published POC.

Mitigations

We share the Microsoft recommended mitigations but think that it is very important to address the justification of having the affected role services and recommend the following mitigations:

Protecting your DC’s

Block outbound traffic from DC’s

Blocking connections initiated by DC to arbitrary services and hosts is an effective mitigation. DC’s should only initiate connections to well known destinations like other DC’s or hosts that are classified to be necessary for such communication. If tiering is implemented in the domain, outbound connections should be limited to tier 0 hosts and services.

Block [MS-ESFR] (EFSRPC) using RPC filters

Benjamin Delpy suggested to use RPC filters to block MS-EFSR by creating filter rules to block the known UUID’s for \pipe\lsarpc and \pipe\efsrpc using the command:

netsh.exe -f block_efsr.txt

Using RPC filtering to block PetitPotam calls

The content of the suggested block_efsr.txt is

rpc
filter
add rule layer=um actiontype=block
add condition field=if_uuid matchtype=equal data=c681d488-d850-11d0-8c52-00c04fd90f7e
add filter
add rule layer=um actiontype=block
add condition field=if_uuid matchtype=equal data=df1941c5-fe89-4e79-bf10-463657acf44d
add filter
quit

Protecting/Fixing AD CS

Preferred mitigation

Remove the listed role services if not justified by a business need. In most of the cases the affected services are replaceable by other API/interfaces such as the built-in RPC interfaces.

Secondary Mitigations

If removing the affected role services is not an option we strongly advice to perform the following actions (listed in order of more secure to less secure): 

  • Restrict/disable inbound NTLM authentication to the server running the role service by setting the policy “Network security: Restrict NTLM: Incoming NTLM traffic”.
PetitPotam-KB5005413-ADV210003
Network security: Restrict NTLM: Incoming NTLM traffic
  • Disable/remove the NTLM provider in the Internet Information Services (IIS) running the selected role services.
PetitPotam-KB5005413-ADV210003
Disable NTLM – Internet Information Services (IIS)

Additional mitigations

If NTLM must remain enabled, we recommend

  • Enabling Extended Protection for Authentication (EPA) And Require TLS on the selected role services.
PetitPotam-KB5005413-ADV210003
Extended Protection for Authentication (EPA) 
  • Enable strict network access control to the selected service.
  • Always enable TLS for proper transport and session protection.


By Hasain Alshakarti

Hasain Alshakarti is an acknowledged security expert and computer industry speaker, he has been speaking at MS Ignite, TechED US, TechED Europe, and TechDays as well as other events and conferences across the world. Besides being a very popular instructor for the last 25 years Hasain is specially focusing Incident response, Red Teaming, Blue Teaming, Security Assessment, Network Security, Identity and Access and PKI, helping customers understand and implement security measures. Hasain has a background as a developer and works closely with developers to help them understand security demands and realize in applications and system without losing functionality and usability. He is member of the TRUESEC Cyber Security and Infrastructure Team, and a recipient of the Microsoft Most Valuable Professional (MVP) Award in Datacenter and Enterprise Security.