Preface: Alert by CISA. Microsoft Windows Active Directory Certificate Services can allow for AD compromise via PetitPotam NTLM relay attacks.

Background: Because NTLM has basic design weaknesses. If cyber criminals take advantage of NTLM’s design weaknesses. The design weaknesses of converting NTLM coexist with the EfsRpcOpenFileRaw method. It such made a powerful tool to corrupt windows architecture.

Vulnerability details: Code running on any domain-joined system can trigger this function to be called on a domain controller without needing to know the credentials of the current user or any other user in an Active Directory. And because the EfsRpcOpenFileRaw method authenticates as the machine dispatching the request, this means that a user of any system connected to an AD domain can trigger an NTLM authentication request as the domain controller machine account to an arbitrary host, without needing to know any credentials. This can allow for NTLM relay attacks.

Observation: While NTLM is still supported by Microsoft, it has been replaced by Kerberos as the default authentication protocol in Windows 2000 and subsequent Active Directory (AD) domains. Should be confirm of your authenticaiton method on Share Point server. Do not use NTLM.

Official technical articles – Microsoft Windows Active Directory Certificate Services can allow for AD compromise via PetitPotam NTLM relay attacks – https://kb.cert.org/vuls/id/405600