PetitPotam and Friends: Coercion Noise on 445

PetitPotam is the “please coerce that machine into authenticating over there” energy that made AD CS and NTLM relay feel fresh again for a while. Different story than BloodHound’s LDAP shopping spree. You’re mostly living on 445, MS-EFSRPC / related RPC over SMB, and NTLM auth that shouldn’t be happening in that direction.

I labbed it with a small AD, AD CS in the mix, BadBlood-style mess so the directory wasn’t a sterile three-object cartoon, and a Kali box to poke from. Setup notes I followed at the time leaned on public writeups like the r3d buck3t PetitPotam domain takeover style posts — use current patched guidance; coercion chains move.

What you’re trying to see

At a high level:

  1. Attacker talks to victim host (often DC or other high-value) on SMB/RPC
  2. Victim is coerced into authenticating to attacker-controlled listener (or relay target)
  3. If you can relay that to LDAP/HTTP/AD CS / whatever is still stupid enough to accept it, game on

Detection on the wire is not “string PETITPOTAM in ASCII.” It’s weird EFSRPC / pipe activity + NTLM AUTH patterns + “why is this host authenticating over there.”

Lab notes

  • Windows Server lab domain (I had 2016 in notes) + separate AD CS thinking
  • BadBlood or similar if you want noise and nested groups
  • Capture SMB to/from the coerced host
  • Wireshark: tcp.port == 445 then dig into SMB2 + NTLMSSP

Public MITRE pointer people hang on lateral / remote services is in the T1021.002 neighborhood for admin share / SMB-ish movement — coercion is its own messy family, but the SMB+NTLM packaging is why a lot of IDS content lands on 445.

IDS: 445 + NTLMSSP_AUTH shaped content

In my lab notes the useful wire fingerprinting was less “perfect RPC interface UUID” (though that’s ideal when app-layer works) and more SMB + NTLMSSP AUTH patterns that show up in coercion / Impacket / Metasploit-shaped traffic.

Illustrative Suricata-style idea — lab only, tune hard, expect false positives on real NTLM environments:

alert tcp any any -> $HOME_NET 445 (
  msg:"LAB SMB NTLMSSP_AUTH pattern - coercion/relay-adjacent; tune me";
  flow:to_server,stateless;
  content:"|fe 53 4d 42|";  # SMB2/3-ish header flavor — verify
  content:"|4e 54 4c 4d 53 53 50 00 03 00 00 00|";  # NTLMSSP AUTH
  threshold:type limit, track by_src, count 5, seconds 30;
  reference:url,https://attack.mitre.org/techniques/T1021/002/;
  classtype:attempted-recon;
  sid:9100301;
  rev:1;
)

If you start from open rule packs, you’ll see content matches on SMB headers + NTLMSSP message type 3 (AUTH). That’s a starting point, not a trophy.

Honest limitations:

  • Lots of legitimate NTLM still exists (unfortunately)
  • Signing / encryption choices change what you can see
  • App-layer RPC parsers are great when they work and silent when they don’t (see also: my Certipy/DCERPC suffering)

So I treat 445 content rules as correlation bait, not court evidence.

What to pair it with

  • Windows security events on the coerced host and target — logon type 3, NTLM, unexpected inbound
  • AD CS enrollment right after coercion if that’s the relay goal (now you’re back in Certipy-land)
  • LDAP modify / privilege weirdness if relay hits directory
  • Process creation on the attacker host if you have EDR there (nice to have)

Timeline that makes a good detection story:

445/RPC coerce → NTLM AUTH to unexpected listener →
  (optional) LDAP/HTTP/ADCS activity from relay →
  new session / cert / privilege

If you only alert on step 1 forever, your SOC will mute you.

Hardening that makes PetitPotam boring

  • Patch the EFSRPC / related coercion CVEs on DCs and servers — stay current, this space churns
  • SMB signing where you can actually enforce it
  • EPA / Extended Protection, channel binding — especially for AD CS and web enrollment paths
  • Disable unused AD CS templates; require manager approval; lock down enrollment rights
  • Reduce NTLM where possible; audit what still needs it
  • Network segmentation so random workstations can’t talk RPC to DCs like it’s 2008

I’m not going to pretend one GPO fixes coercion forever. Defense in depth is annoying because it works.

False positives you’ll hate

  • Backup agents
  • Legit admin tools hitting admin shares
  • Scanners
  • Anything still doing NTLM to file servers all day

Start with alerts scoped to DCs + AD CS servers as victims, not the whole flat Class A.

Test plan

  1. Build lab with AD CS if you want the full relay story
  2. PCAP the coerce
  3. PCAP the relay success path if you go that far
  4. Write the 445 rule from your bytes
  5. Correlate one host event + one identity/CA event
  6. Document “mute conditions” before you enable prod

Related: Certipy / AD CS post — same kill chain neighborhood, different protocol pain.

Leave a Reply

Your email address will not be published. Required fields are marked *