![]() PetitPotam will generate an odd login that can be used to detect and hunt for indications of execution. The following settings and events can be used to detect this malicious activity: Malicious Logins Event log data is needed to detect or hunt for PetitPotam. The PetitPotam attack targets Active Directory servers running certificate services, so this will be the focus of the detection and hunting. Detecting and Threat Hunting NTLM Relay Attacks Alternatively, with optimally configured log sizes, teams can run tools such as PowerShell or LOG-MD to hunt for malicious activity against the local log data. Ideally, organizations should forward event logs to a log management or SIEM solution to operationalize detection alerts and provide a central console where threat hunting can be performed. Both the default log size should be increased to support detection engineering and threat hunting. Log rotation can be another major issue with Windows default log settings. Malware Archaeology – Windows Logging Cheat Sheets.NCC Group recommends using the following resource to configure Windows Advanced Audit Policies: Organizations should have a standard procedure to configure the Windows Advanced Audit Policies as a part of a complete security program and have each Windows system collect locally significant events. Therefore, Windows Advanced Audit Logging must be optimally configured to detect and to be able to threat hunt PetitPotam and similar attacks. The default settings of Windows logging do not often catch advanced threats. The following details are provided to assist organizations in detecting and threat hunting for this and other similar types of threats. The flaw allows an attacker to gain administrative privileges of an Active Directory Certificate Server once on the network with another exploit or malware infecting a system. During the week of July 19th, 2021, information security researchers published a proof of concept tool named “PetitPotam” that exploits a flaw in Microsoft Windows Active Directory Certificate Servers with an NTLM relay attack.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |