Advisory Type: IT Security
Summary: PDS is providing the following communication to build awareness of an NTLM attack vector against Windows systems.
On July 23, 2021, Microsoft released Security Advisory ADV210003. The Advisory was issued in response to research and proof-of-concept code published by security researcher Gilles Lionel. Lionel published information demonstrating how a malicious actor can force Windows systems to authenticate and harvest the password hashes. The password information can be used to determine the clear-text password for the user and can be used to authenticate as the user in replay attacks.
The exploit, named “PetitPotam”, uses an NTLM Relay Attack strategy to create the desired authentication conditions and harvest the NTLM hashed password for the user. NTLM Relay Attacks are common and not difficult to craft, and with the proof-of-concept code published widespread use of this strategy to harvest account credentials is inevitable.
Microsoft NTLM authentication is well-known as a less-secure authentication mechanism but is still enabled by default in Microsoft Windows systems for backward compatibility. Microsoft’s reply to this situation reinforced that the issue has been thoroughly documented and mitigation strategies have been published, including Security Advisory 974926 from 2009. Additionally, Microsoft published KB5005413 providing instructions on mitigating NTLM Relay Attacks involving Active Directory Certificate Services (AD CS).
Organizations should evaluate their need for NTLM authentication and remove or disable the services if not required. Environments where NTLM is required should use one of the mitigation strategies to protect against NTLM Relay Attacks.
We strongly advise customers to review the Microsoft advisories and assess the impact to their environments. PDS Architects are available to assist with the assessment and mitigations, your Account Director can assist in arranging support for this issue.