Lucene search

K
nessusThis script is Copyright (C) 2021-2024 and is owned by Tenable, Inc. or an Affiliate thereof.WINDOWS_PETITPOTAM.NBIN
HistoryJul 27, 2021 - 12:00 a.m.

Microsoft Windows EFSRPC NTLM Reflection Elevation of Privilege (PetitPotam) (Remote)

2021-07-2700:00:00
This script is Copyright (C) 2021-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
757

The remote host is affected by an NTLM reflection elevation of privilege vulnerability known as ‘PetitPotam’. An unauthenticated, remote attacker can exploit this, by sending a specially-crafted EFSRPC request, to cause the affected host to connect to a malicious server. An attacker can then utilize an NTLM relay to impersonate the target host and authenticate against remote services.

One attack scenario, described within KB5005413, uses this exploit to initiate an NTLM session as a domain controller’s machine account. This session is then relayed to an Active Directory Certificate Services (AD CS) host to obtain a certificate. This certificate could be then used to move laterally within the domain environment.

Binary data windows_petitpotam.nbin
VendorProductVersion
microsoftwindows