New Blog Post | PetitPotam? Microsoft Defender for Identity has it covered!

%3CLINGO-SUB%20id%3D%22lingo-sub-2661651%22%20slang%3D%22en-US%22%3ENew%20Blog%20Post%20%7C%20PetitPotam%3F%20Microsoft%20Defender%20for%20Identity%20has%20it%20covered!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2661651%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22AshleyMartin_0-1629305396165.png%22%20style%3D%22width%3A%20700px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F304138iC661EF2E19D36218%2Fimage-dimensions%2F700x336%3Fv%3Dv2%22%20width%3D%22700%22%20height%3D%22336%22%20role%3D%22button%22%20title%3D%22AshleyMartin_0-1629305396165.png%22%20alt%3D%22AshleyMartin_0-1629305396165.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fsecurity-compliance-and-identity%2Fpetitpotam-microsoft-defender-for-identity-has-it-covered%2Fba-p%2F2656271%22%20target%3D%22_blank%22%3EPetitPotam%3F%20Microsoft%20Defender%20for%20Identity%20has%20it%20covered!%20-%20Microsoft%20Tech%20Community%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThe%20EFSRPC%20protocol%20that%20PetitPotam%20exploits%20is%20typically%20used%20to%20maintain%20and%20manage%20encrypted%20data%20that%20is%20stored%20remotely%20and%20accessed%20over%20a%20network.%20It%E2%80%99s%20mainly%20used%20to%20manage%20Windows%20files%20that%20reside%20on%20remote%20file%20servers%20and%20are%20encrypted%20using%20the%20Encrypting%20File%20System%20(EFS).%26nbsp%3BUsing%20the%20PetitPotam%20vector%2C%20an%20adversary%20can%20manipulate%20MS-EFSRPC%20API%20functions%20without%20authentication%20using%20the%26nbsp%3B%3CEM%3EOpenEncryptedFileRaw%3C%2FEM%3E%26nbsp%3Bcalls.%20This%20allows%20the%20adversary%20to%20force%20a%20domain%20controller%20to%20authenticate%20to%20an%20NTLM%20relay%20server%20under%20the%20attacker's%20control.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2661651%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20Security%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Defender%20for%20Identity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

AshleyMartin_0-1629305396165.png

PetitPotam? Microsoft Defender for Identity has it covered! - Microsoft Tech Community

The EFSRPC protocol that PetitPotam exploits is typically used to maintain and manage encrypted data that is stored remotely and accessed over a network. It’s mainly used to manage Windows files that reside on remote file servers and are encrypted using the Encrypting File System (EFS). Using the PetitPotam vector, an adversary can manipulate MS-EFSRPC API functions without authentication using the OpenEncryptedFileRaw calls. This allows the adversary to force a domain controller to authenticate to an NTLM relay server under the attacker's control.

 

0 Replies