CVE-2021-36942

What is Windows LSA and NTLM Authentication?

The Windows Local Security Authority (LSA) manages authentication on Windows systems. NTLM (NT LAN Manager) is a Windows authentication protocol that allows machines to authenticate to each other by proving they hold the correct password hash without transmitting the hash itself. A critical property of NTLM is that it can be relayed: if an attacker can force a machine to initiate an NTLM authentication toward an attacker-controlled server, the attacker can relay that authentication to another service — authenticating as the victim machine without ever obtaining its credentials. When the victim is a domain controller, NTLM relay attacks can result in complete Active Directory domain compromise.

Overview

CVE-2021-36942 is a Windows LSA spoofing vulnerability that enables unauthenticated NTLM coercion — the PetitPotam attack. The LSARPC interface exposes the Encrypting File System Remote Protocol (MS-EFSR), which can be called unauthenticated to force a Windows server (including domain controllers) to initiate an NTLM authentication request toward an attacker-controlled host. When chained with an NTLM relay attack against Active Directory Certificate Services (AD CS), PetitPotam allows an unauthenticated network attacker to obtain a domain controller machine certificate — enabling full Active Directory domain compromise. Microsoft partially patched this in August 2021 Patch Tuesday. CISA added it to the KEV catalog in November 2021, confirming use in ransomware campaigns.

Affected Versions

Technical Details

• Root cause: The LSARPC interface allows unauthenticated callers to invoke MS-EFSR methods (EfsRpcOpenFileRaw and others); these methods trigger the target server to perform an outbound NTLM authentication to a server path specified by the caller
• NTLM coercion: By calling EfsRpcOpenFileRaw with a UNC path pointing to an attacker-controlled server, the attacker forces the Windows host (even a domain controller) to send its machine account NTLM hash to the attacker — this is the coercion primitive
• AD CS relay chain: The NTLM authentication from the domain controller is relayed to the AD CS HTTP enrollment endpoint (if AD CS is configured with HTTP-based enrollment and NTLM is allowed); the AD CS issues a machine certificate for the domain controller — which can then be used to obtain a Kerberos TGT for the DC machine account, enabling DCSync and full domain compromise
• Patch limitation: Microsoft's August 2021 patch hardened the EFS-specific coercion paths but did not eliminate all NTLM coercion via LSARPC; alternative coercion methods (PrintSpooler, MS-RPRN, MS-DFSNM) remained viable until separately addressed
• No authentication required: CVSS PR:N/UI:N — any network-reachable host on the same domain can trigger the coercion without credentials

Discovery

PetitPotam was publicly released by French security researcher Gilles Lionel (@topotam) on GitHub on July 18, 2021, as a proof-of-concept tool demonstrating NTLM coercion via LSARPC. The technique was rapidly operationalized by ransomware affiliates who combined it with existing AD CS misconfiguration exploitation (ESC8 attack path documented by Will Schroeder and Lee Christensen in the "Certified Pre-Owned" whitepaper). CISA added CVE-2021-36942 to KEV in November 2021 based on confirmed ransomware deployment.

Exploitation Context

PetitPotam became a standard component of ransomware affiliate pre-ransomware domain compromise playbooks in late 2021 and 2022. The attack pattern requires: (1) network access to a domain-joined host, (2) an accessible domain controller, and (3) an AD CS server with HTTP enrollment enabled and NTLM not disabled on the enrollment endpoint. Many enterprise Active Directory environments met all three conditions. Threat actors combined PetitPotam with AD CS relay (ESC8) to achieve domain admin in minutes from initial network foothold — providing persistence via Golden Ticket or domain-wide credential access before deploying ransomware. The CISA KEV addition confirming ransomware use reflects this being a reliable, repeatable domain compromise primitive.

Remediation

1. Apply August 2021 Patch Tuesday to all domain controllers and Windows servers
2. Disable NTLM authentication on AD CS HTTP enrollment endpoints: configure IIS on the CA server to require Kerberos and disable NTLM for the CertSrv virtual directory
3. Enable Extended Protection for Authentication (EPA) on AD CS enrollment web services to prevent NTLM relay
4. Block inbound NTLM to domain controllers from workstations where not required, using Windows Firewall or network segmentation
5. Enable the "Audit and Restrict NTLM: Incoming NTLM Traffic" Group Policy to identify and reduce NTLM usage across the domain
6. Review AD CS configuration for all ESC attack paths (1–8) using the Certify tool or BloodHound CE — PetitPotam enables exploitation of multiple AD CS misconfigurations, not only ESC8
7. Consider enabling LSA Protection and Microsoft Defender Credential Guard to reduce the impact of successful domain compromise