Skip to main content
Support

PetitPotam + AD CS Chain

NTLM Relay to Certificate Services for DC Compromise

Coerce a Domain Controller to authenticate via PetitPotam, relay the NTLM authentication to AD CS web enrollment to obtain a DC certificate, then use PKINIT for a TGT and DCSync the entire domain.

Advanced~8 minT1187
Prerequisites:AD CS with web enrollment enabled (HTTP)No Extended Protection for Authentication (EPA) on web enrollmentPetitPotam + ntlmrelayx + Rubeus
1

Discover AD CS Web Enrollment Endpoint

PetitPotam + AD CS Chain — Step 1/6
┌──(kali)-[~/tools] └─$

Click or press Enter to skip

Step 1: Find NTLM Relay Target

Enumerate AD Certificate Services infrastructure to find a CA with HTTP-based web enrollment enabled. The /certsrv endpoint accepts NTLM authentication and can be targeted for relay attacks.

We found a certificate authority (CA) that has a web enrollment page accessible over plain HTTP. This is like finding a passport office that accepts phone calls as proof of identity — we can pretend to be someone else over the phone.

Detection Events
4688EfsRpcOpenFileRaw RPC call detected
Attack Flow
Discover web enrollment
Attacker(Relay Server)
DC01(Coerced)
CA01(AD CS)
Request
Response
Attack
Data
Back to all scenarios
SourceSudo

Content sourced from Microsoft Documentation, MITRE ATT&CK Framework, NIST SP 800-63/171, adsecurity.org (Sean Metcalf), SpecterOps research, and SANS Reading Room. For educational purposes only.

MITRE ATT&CKADSecurity.org