ADCS + PetitPotam NTLM Relay

Intro

Active Directory Certificate Services (ADCS) + PetitPotam + NLTM Relay technique that allows attackers, given ADCS is misconfigured (which it is by default), to effectively escalate privileges from a low privileged domain user to Domain Admin.

ConditionsBelow are some of the conditions making an AD environment vulnerable to ADCS + NTLM relay attack:

• ADCS is configured to allow NTLM authentication;

• NTLM authentication is not protected by EPA or SMB signing;

• ADCS is running either of these services:

  • Certificate Authority Web Enrollment

  • Certificate Enrollment Web Service

Overview

Below provides a high level overview of how the attack works:

1. Get a foothold in an AD network with a misconfigured ADCS instance;

2. Setup an NTLM relay listener on a box you control, so that incoming authentications are relayed to the misconfigured ADCS;

3. Force the target DC to authenticate (using PetitPotam or PrintSpooler trick) to the box running your NTLM relay;

4. Target DC attempts to authenticate to your NTLM relay;

5. NTLM relay receives the DC$ machine account authentication and relays it to the ADCS;

6. ADCS provides a certificate for the target DC$ computer account;

7. Use the target DC's computer account certificate to request its Kerberos TGT;

8. Use target DC's computer account TGT to perform DCSync and pull the NTLM hash of krbtgt;

9. Use krbtgt NTLM hash to create golden ticket that allow you to impersonate any domain user, including Domain Admin.

Mitigations

Detection

PetitPotam does not require any authentication, which means we can look for anonymous NTLM logins to servers, especially domain controllers, adversaries using their machine for the attack generate Event ID 4624 with a null workstation field which we can use to filter out false positives.

Malicious Logins

PetitPotam will generate an odd login that can be used to detect and hunt for indications of execution. To collect Event ID 4624, the Windows Advanced Audit Policy will need to have the following policy enabled:

• Logon/Logoff – Audit Logon = Success and Failure

The following query logic can be used:

• Event Log = Security

• Event ID = 4624

• User = ANONYMOUS LOGON

• Authentication Package Name = NTLM*

• Elevated Token – *1842

Malicious Share Access

PetitPotam will generate odd network share connections that can be used to detect and hunt for indications of execution. To collect Event ID 5145, the Windows Advanced Audit Policy will need to have the following policy enabled:

• Object Access – Audit Detailed File Share = Success

• Object Access – File Share = Success

The following query logic can be used:

• Event Log = Security

• Event ID = 5145

• Object Name = *IPC*

• Target Name = (“lsarpc” or “efsrpc” or “lsass” or “samr” or “netlogon”

MS-DFSNM coerce authentication