TeamHood 
Microsoft has released the update for the new PetitPotam NTLM relay attack. An attacker can take over domain controllers and other windows servers in this attack.
Gilles Lionel a French Researcher discovered that PrtitPotam is a new method that can be used to conduct and NTLM relay attack. The POC was displayed along with the script used to perform the attack.
The new attack uses the Microsoft Encrypting File System Remote Protocol (EFSRPC) to force a device, including domain controllers, to authenticate to a remote NTLM relay controlled by a threat actor.
Once a device authenticates to a malicious NTLM server, a threat actor can steal hash and certificates that can be used to assume the identity of the device and its privileges.
Mitigation for Domain Controllers
Microsoft published a security advisory with recommendations for organizations that needs to protect its assets against this attack.
The attackers are targeting the NTLM authentication enabled on the domain and are using Active Directory Certificate Services (AD CS) with Certificate Authority Web Enrollment or Certificate Enrollment Web Service.
Microsoft recommends disabling NTLM where it is not necessary, e.g. Domain Controllers, or to enable the Extended Protection for Authentication mechanism to protect credentials on Windows machines.
The company also recommends on networks with NTLM enabled that services allowing NTLM authentication to use signing features such as SMB signing that’s been available since Windows 98.
PetitPotam is about abusing the EfsRpcOpenFileRaw function of the MS-EFSRPC API to pass on authentication requests, leaving the door open for other attacks.
Microsoft’s advisory is clear about the action to prevent NTLM relay attacks but does not address the abuse of the MS-EFSRPC API, which would need a security update to fix.
It is noted by the various security researchers that EFSRPC protocol is not even mentioned in the Microsoft advisory.
