PetitPotam is an NTLM relay attack that would allow an attacker to take over an entire Windows domain.
Vulnerable configurations including using Active Directory Certificate Services (AD CS) with:
- Certificate Authority Web Enrollment
- Certificate Enrollment Web Service
Mitigation and ProtectionMicrosoft recommends that potentially impacted enable Extended Protection for Authentication (EPA) and disable HTTP on AD CS servers. Additional information and steps for this mitigation and additional information is found on the Microsoft site.
Trend Micro ProtectionThe following rules, filters and patterns can help customers to protect themselves against new or further exploitation attempts in combination with patching and/or other manual mitigation steps.
Trend Micro Cloud One – Workload Security and Deep Security IPS Rules
- Rule 1011058: Identified DCERPC EfsRpcOpenFileRaw Call Over SMB Protocol
- Filter 40036: RPC: Microsoft Windows EfsRpcOpenFileRaw Request