New PetitPotam attack allows take over of Windows domains
A new NTLM relay attack called PetitPotam has been discovered that allows threat actors to take over a domain controller, and thus an entire Windows domain.
Many organizations utilize Microsoft Active Directory Certificate Services, which is a public key infrastructure (PKI) server that can be used to authenticate users, services, and machines on a Windows domain.
In the past, researchers discovered a method to force a domain controller to authenticate against a malicious NTLM relay that would then forward the request to a domain's Active Directory Certificate Services via HTTP.
Ultimately, the attacker would be granted a Kerberos ticket granting ticket (TGT) that would allow them to assume the identity of any device on the network, including a domain controller.
To force the machine to perform the authentication to a remote server, an attacker could use the RpcRemoteFindFirstPrinterChangeNotification function of MS-RPRN printing API.
