The PetitPotam NTLM relay attack targeting Active Directory Certificate Services (AD CS) is a powerful exploitation technique that can lead to full domain compromise if certain misconfigurations exist. Here’s a breakdown:

🧨 What Is PetitPotam?

PetitPotam is a tool and technique that abuses the MS-EFSRPC protocol (Encrypting File System Remote Protocol) to coerce a Windows machine—often a domain controller—into authenticating to an attacker-controlled server using NTLM. This opens the door for NTLM relay attacks.

🔗 How It Relates to AD CS

When Active Directory Certificate Services (AD CS) is misconfigured (which is common), attackers can relay NTLM authentication to AD CS endpoints like:

• Certificate Authority Web Enrollment
• Certificate Enrollment Web Service

If these services allow NTLM authentication and lack protections like Extended Protection for Authentication (EPA), attackers can:

1. Trigger NTLM authentication from a domain controller using PetitPotam.
2. Relay the authentication to AD CS.
3. Request a certificate for the domain controller’s machine account.
4. Use the certificate to obtain a Kerberos Ticket Granting Ticket (TGT).
5. Perform DCSync to extract sensitive data like the krbtgt hash.
6. Forge Golden Tickets and impersonate any user, including Domain Admins.

🛡️ How to Mitigate

Microsoft and security experts recommend the following:

• Disable NTLM where possible.
• Enable EPA on AD CS services.
• Disable HTTP access to AD CS (use HTTPS only).
• Audit and harden AD CS configurations.
• Follow guidance from Microsoft’s official mitigation KB5005413.