Share this page!

Ophir Harpaz Profile picture
Twitter logo
5 Sep, 8 tweets, 4 min read
I swear I couldn't find one place in the internet where #PetitPotam is explained in a way that I can truly understand it. So I'm dumping the attack flow here as a future reference for myself. If any of you finds it useful - good. If any of you wishes to add - comment. 1/7
The attack starts when an attacker, from her controlled machine, triggers a (possibly privileged) Windows host to authenticate to *her*. She does it by requesting EFS-RPC - Encrypted File System service - to open a remote file on her own machine. No domain creds are needed! 2/7
Technically speaking, the attacker invokes EfsRpcOpenFileRaw, specifying a file path that points to her remote machine:
'\\<attacker_address>\test\Settings.ini'
(from @topotam77's PoC
github.com/topotam/PetitP…)
This is basically the essence of #PetitPotam.
3/7
Next, the attacker performs an NTLM Relay attack against AD-CS (Active Directory Certificate Services) and "impersonates" the victim machine.
This part is based on @SpecterOps's findings (ESC8 in posts.specterops.io/certified-pre-…) and isn't PetitPotam-specific.
[img: @HackAndDo] 4/7
2 services in AD-CS are vulnerable to NTLM Relay:
1. CA Web Enrollment
2. Certificate Enrollment Web Service
With her (privileged) access to these services, the attacker requests a new certificate, thus obtaining *persistent* privileged access to other services & resources. 5/7
So basically 2 services are exploited:
* EFS-RPC, as one can coerce it into performing authentication;
* One of the AD-CS services mentioned above, as they don't have NTLM relay protection enabled by default. Any other service prone to NTLM relay can be exploited instead. 6/7
Thanks @oridavid123 and @kupsul, my two goto people in @Guardicore for everything related to Windows domain attacks ♥ 7/7
I wish to clarify: PetitPotam stands for only arrows (1) and (2), namely, the part where an attacker makes EFS-RPC initiate NTLM authentication. Thanks @wdormann for highlighting this.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Ophir Harpaz

Ophir Harpaz Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @OphirHarpaz

Ophir Harpaz Profile picture
4 Aug
Our @BlackHatEvents talk is over (and went great!) and now's a good time to share everything about our research!
Our research process is detailed in this blog post, go give it a read and let @peleghd and I know if you have any questions & thoughts!
guardicore.com/labs/hafl1-our…
Information about the RCE vulnerability we found with #hAFL1 can be found here >>
guardicore.com/labs/critical-…
Last but not least - today we open sourced #hAFL1! It's there for you to experiment with. Feel free to reach out to @peleghd or me for technical support 😛
github.com/SB-GC-Labs/hAF…
Read 4 tweets
Ophir Harpaz Profile picture
6 Sep 20
There's a tricky way to create a new user on a Windows host without it being displayed by the "net" utility. This is something @Ben0xA tweeted about very recently.
I wanted to find out why a user named "$" is not shown, and here's what I learned :) [1/5]
net.exe checks if the username contains a dollar sign. If it does, *and* the dollar sign appears at the end -- the username is not printed but simply skipped. This is probably because ending an account name with "$" may indicate a computer name, and not a human user. [2/5]
In Powershell, usernames ending with $ *do* show in the output of Get-LocalUser cmdlet, although Powershell uses the same source - SAM's (Security Account Manager) user enumeration. It simply doesn't use the "$-at-the-end" heuristic, and displays all user objects returned. [3/5]
Read 5 tweets
Ophir Harpaz Profile picture
1 Jan 20
I wanted to write a blog post but Twitter is more fun so let's do it here.
Here's my 2019.
I left a job and started a new one at @Guardicore, which is today a true home to me.
I joined a team of professionals. and friends. People whose faces I just love seeing every day >>
I gave talks in 4 different countries on 3 different topics.
Taught a Threat Hunting workshop.
Co-organized @Baot_IL's technical blogging events, making tens of technical blog posts written by women reach the internet.
Pushed women to submit their first abstract to conferences >>
I reversed binaries,
Analyzed procmon traces and pcaps,
Parsed MSIs,
Hacked whatever,
Did data analysis (yes, me, I swear)
Wrote hell lot of code (compared to what I usually tolerate),
Got better at coding, debugging, scaling, designing, reversing, hunting, investigating >>
Read 7 tweets
Ophir Harpaz Profile picture
16 Oct 19
[1/4] Ok this is really funny, check this out.
I was in the process of booking a flight via @OneTravel. Trying to make me book ASAP, they claimed: "38 people are looking at this flight".
Whoa, 38 is a lot, I have to hurry up. But first I have to check how they came up with 38 >>
[2/4] Right click and a quick "inspect" on the number, I found out the element's class name is "view_notification_random".
Awesome variable naming guys.
So you're _randomly_ trying to freak me out. Alright >>
[3/4] So what's your sophisticated pseudo-random algorithm?
Apparently, OneTravel are choosing a number between 28 and 45.
Because as you all know, based on serious psychological research, these numbers tend to make people book their flights fast #sarcasm #not42 >>
Read 4 tweets
Ophir Harpaz Profile picture
3 Jul 19
#Campaign in tweets - @Guardicore Labs in a new tradition; we find the attacks, you get to know them and learn the attackers' tricks and techniques. This time, let's get familiarized with "Lemon_Duck", a #cryptomining campaign involving a sophisticated #propagation tool. 🍋🦆
Before we start: all scripts, binaries and IOCs are available on our github repository. In addition, malicious IPs, attack servers and domains appear on @Guadicore Cyber Threat Intelligence portal. You're welcome to take a look :)
threatintelligence.guardicore.com/?utm_medium=or…
github.com/guardicore/lab…
Lemon_Duck starts by breaching machines over the #MSSQL service or the #SMB protocol. We'll focus on the MS-SQL flow. Once inside the machine, the attacker enables #xp_cmdshell to run shell commands. It will take only a single command line to trigger the rest of the attack.
Read 12 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @OphirHarpaz has new unrolls!

Check out other threads from @OphirHarpaz!

Read all threads by @OphirHarpaz

:(