Security researcher, Gilles Lionel, has uncovered a new NTLM relay attack that lets hackers take over Windows domains, the Hacker News has reported. The security flaw, named PetiPotam, in the Windows operating system can be exploited to coerce remote Windows servers, including Domain Controllers, to authenticate with a malicious destination, thereby allowing an adversary to stage an NTLM relay attack and completely take over a Windows domain.
Gilles Lionel shared technical details and proof-of-concept (PoC) code last week, noting that the flaw works by forcing “Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw function.”