Mitigation and Protection

Microsoft recommends that potentially impacted enable Extended Protection for Authentication (EPA) and disable HTTP on AD CS servers. Additional information and steps for this mitigation and additional information is found on the Microsoft site.

Trend Micro Protection

The following rules, filters and patterns can help customers to protect themselves against new or further exploitation attempts in combination with patching and/or other manual mitigation steps.

Trend Micro Cloud One – Workload Security and Deep Security IPS Rules

• Rule 1011058:  Identified DCERPC EfsRpcOpenFileRaw Call Over SMB Protocol

Trend Micro Cloud One – Network Security and TippingPoint IPS Filters

• Filter 40036: RPC: Microsoft Windows EfsRpcOpenFileRaw Request

Trend Micro is continuing to aggressively investigate other forms of detection and protection to assist our customers, but we do want to continue to reiterate that the primary recommendation is to apply the official Microsoft patches as soon as possible. We will continue to update this article and our customers if/when additional layers of protection become available.

References

• Microsoft KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS)
• Microsoft Blog: Extended Protection for Authentication