Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

New Blog Post | PetitPotam? Microsoft Defender for Identity has it covered!

Microsoft

AshleyMartin_0-1629305396165.png

PetitPotam? Microsoft Defender for Identity has it covered! - Microsoft Tech Community

The EFSRPC protocol that PetitPotam exploits is typically used to maintain and manage encrypted data that is stored remotely and accessed over a network. It’s mainly used to manage Windows files that reside on remote file servers and are encrypted using the Encrypting File System (EFS). Using the PetitPotam vector, an adversary can manipulate MS-EFSRPC API functions without authentication using the OpenEncryptedFileRaw calls. This allows the adversary to force a domain controller to authenticate to an NTLM relay server under the attacker's control.

 

0 Replies