{
	"id": "4bde8c42-cf7c-41a2-9e94-33fd32f727fc",
	"created_at": "2026-04-06T00:10:41.76135Z",
	"updated_at": "2026-04-10T03:21:51.041476Z",
	"deleted_at": null,
	"sha1_hash": "70bd3d7cff6ca18bf2e3e06041971ef574c55fff",
	"title": "PetitPotam Attack Chain Can Compromise Windows Domains Running AD CS | Rapid7 Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 69171,
	"plain_text": "PetitPotam Attack Chain Can Compromise Windows Domains\r\nRunning AD CS | Rapid7 Blog\r\nBy Rapid7\r\nPublished: 2021-08-03 · Archived: 2026-04-05 14:03:51 UTC\r\nThe PetitPotam attack vector was assigned CVE-2021-36942 and patched on August 10, 2021. See the Updates\r\nsection at the end of this post for more information.\r\nLate last month (July 2021), security researcher Topotam published a proof-of-concept (PoC) implementation of a\r\nnovel NTLM relay attack christened “PetitPotam.” The technique used in the PoC allows a remote,\r\nunauthenticated attacker to completely take over a Windows domain with the Active Directory Certificate\r\nService (AD CS) running — including domain controllers. Rapid7 researchers have tested public proof-of-concept\r\ncode against a Windows domain controller setup and confirmed exploitability. One of our senior researchers\r\nsummed it up with: \"This attack is too easy.\"\r\nPetitPotam works by abusing Microsoft’s Encrypting File System Remote Protocol (MS-EFSRPC) to trick one\r\nWindows host into authenticating to another over LSARPC on TCP port 445. Successful exploitation means that\r\nthe target server will perform NTLM authentication to an arbitrary server, allowing an attacker who is able to\r\nleverage the technique to do... pretty much anything they want with a Windows domain (e.g., deploy ransomware,\r\ncreate nefarious new group policies, and so on). The folks over at SANS ISC have a great write-up here.\r\nAccording to Microsoft’s ADV210003 advisory, Windows users are potentially vulnerable to this attack if they are\r\nusing Active Directory Certificate Services (AD CS) with any of the following services:\r\nCertificate Authority Web Enrollment\r\nCertificate Enrollment Web Service\r\nNTLM relay attacks aren’t new—they’ve been around for decades. However, a few things make PetitPotam and\r\nits variants of higher interest than your more run-of-the-mill NTLM relay attack. As noted above, remote attackers\r\ndon’t need credentials to make this thing work, but more importantly, there’s no user interaction required to coerce\r\na target domain controller to authenticate to a threat actor’s server. Not only is this easier to do — it’s faster\r\n(though admittedly, well-known tools like Mimikatz are also extremely effective for gathering domain\r\nadministrator-level service accounts). PetitPotam is the latest attack vector to underscore the fundamental fragility\r\nof the Active Directory privilege model.\r\nMicrosoft released an advisory with a series of updates in response to community concern about the attack —\r\nwhich, as they point out, is “a classic NTLM relay attack” that abuses intended functionality. Users concerned\r\nabout the PetitPotam attack should review Microsoft’s guidance on mitigating NTLM relay attacks against Active\r\nDirectory Certificate Services in KB500413. Since it looks like Microsoft will not issue an official fix for this\r\nhttps://www.rapid7.com/blog/post/2021/08/03/petitpotam-novel-attack-chain-can-fully-compromise-windows-domains-running-ad-cs/\r\nPage 1 of 4\n\nvector, community researchers have added PetitPotam to a running list of “won’t fix” exploitable conditions in\r\nMicrosoft products.\r\nThe PetitPotam PoC is already popular with red teams and community researchers. We expect that interest to\r\nincrease as Black Hat brings further scrutiny to Active Directory Certificate Services attack surface area.\r\nMitigation Guidance\r\nA patch that mitigates this attack chain is available as of August 10, 2021. Windows administrators should apply\r\nthe August 10, 2021 patch for CVE-2021-36942 as soon as possible, prioritizing domain controllers, and then\r\nfollow the guidance below as specified in KB5005413.\r\nIn general, to prevent NTLM relay attacks on networks with NTLM enabled, domain administrators should ensure\r\nthat services that permit NTLM authentication make use of protections such as Extended Protection for\r\nAuthentication (EPA) coupled with “Require SSL” for affected virtual sites, or signing features such as SMB\r\nsigning. Implementing “Require SSL” is a critical step: Without it, EPA is ineffective.\r\nAs an NTLM relay attack, PetitPotam takes advantage of servers on which Active Directory Certificate Services\r\n(AD CS) is not configured with the protections mentioned above. Microsoft’s KB5005413: Mitigating NTLM\r\nRelay Attacks on Active Directory Certificate Services (AD CS) emphasizes that the primary mitigation for\r\nPetitPotam consists of three configuration changes (and an IIS restart). In addition to primary mitigations,\r\nMicrosoft also recommends disabling NTLM authentication where possible, starting with domain controllers.\r\nIn this order, KB5005413 recommends:\r\nDisabling NTLM Authentication on Windows domain controllers. Documentation on doing this can be\r\nfound here.\r\nDisabling NTLM on any AD CS Servers in your domain using the group policy Network security: Restrict\r\nNTLM: Incoming NTLM traffic. For step-by-step directions, see KB5005413.\r\nDisabling NTLM for Internet Information Services (IIS) on AD CS Servers in your domain running the\r\n\"Certificate Authority Web Enrollment\" or \"Certificate Enrollment Web Service\" services.\r\nWhile not included in Microsoft’s official guidance, community researchers have tested using NETSH RPC\r\nfiltering to block PetitPotam attacks with apparent success. Rapid7 research teams have not verified this behavior,\r\nbut it may be an option for blocking the attack vector without negatively impacting local EFS functionality.\r\nThe majority of the guidance on PetitPotam, including in Microsoft's advisory, focuses on domains on which\r\nActive Directory Certificate Services are running. Unfortunately, even users not running AD CS can be vulnerable\r\nto PetitPotam. We've written a little about why below.\r\nPetitPotam is a means by which to trigger an authentication attempt from a target Windows system to an attacker-controlled system. This authentication attempt can then be captured and used for offline brute forcing, or more\r\ncommonly relayed to authenticate to another target service. When Microsoft released MS08-068, it removed the\r\nability to relay an authentication attempt back to the same target using the same service. In other words, an\r\nincoming SMB authentication attempt to an attacker cannot be relayed back to the target to authenticate to SMB\r\nand create a service to execute code (like PSexec does).\r\nhttps://www.rapid7.com/blog/post/2021/08/03/petitpotam-novel-attack-chain-can-fully-compromise-windows-domains-running-ad-cs/\r\nPage 2 of 4\n\nThe attack identified as ESC8 and documented in the whitepaper Certified Pre-Owned describes a scenario in\r\nwhich an attacker can perform an NTLM relay attack to the AD CS HTTP endpoint to make authenticated API\r\ncalls. The original work suggests using the MS-RPRN methods RpcRemoteFindFirstPrinterChangeNotification\r\nmethods. However, these methods require that the connection be authenticated.\r\nThe PetitPotam technique is ideally suited to substitute the MS-RPRN trigger described in the original whitepaper\r\nbecause it can trigger the authentication attempt without any credentials. It should also be noted that because the\r\nAD CS endpoint is HTTP and the incoming authentication uses SMB, the protections provided by MS08-068 do\r\nnot apply.\r\nTesting Results\r\nRapid7 researchers who tested the PetitPotam attack chain in August 2021 observed the following behavior:\r\nWindows Domain Controllers with and without Active Directory Certificate Services running were\r\nexploitable unauthenticated out of the box.\r\nA non-DC system was exploitable authenticated out of the box, whether or not it was joined to the\r\ndomain.\r\nThe non-DC system was exploitable unauthenticated by adding the lsarpc named pipe to the server's\r\nallowlist for anonymous access. That configuration parameter can be found here. Note the differences in\r\ndefault values depending on the server designation.\r\nRapid7 Customers\r\nInsightVM and Nexpose customers can assess their exposure to PetitPotam via the local vulnerability checks msft-adv210003, which looks for the registry settings described in ADV210003, and msft-cve-2021-36942, which\r\nchecks for the patches released by Microsoft on August 10.\r\nUpdates\r\nAugust 23, 2021: Multiple sources have now reported that at least one ransomware gang (LockFile) is chaining\r\nProxyShell with PetitPotam (CVE-2021-36942) to compromise Windows domain controllers. See Rapid7's blog\r\non ProxyShell for further information on mitigation and attack chain analysis.\r\nAugust 10, 2021: Microsoft has released a patch that addresses the PetitPotam NTLM relay attack vector in\r\ntoday's Patch Tuesday. Tracked as CVE-2021-36942, the August 2021 Patch Tuesday security update blocks the\r\naffected API calls OpenEncryptedFileRawA and OpenEncryptedFileRawW through the LSARPC interface.\r\nWindows administrators should prioritize patching domain controllers and will still need to take additional steps\r\nlisted in KB5005413 to ensure their systems are fully mitigated.\r\nNEVER MISS A BLOG\r\nGet the latest stories, expertise, and news about security today.\r\nSubscribe\r\nhttps://www.rapid7.com/blog/post/2021/08/03/petitpotam-novel-attack-chain-can-fully-compromise-windows-domains-running-ad-cs/\r\nPage 3 of 4\n\nSource: https://www.rapid7.com/blog/post/2021/08/03/petitpotam-novel-attack-chain-can-fully-compromise-windows-domains-running-ad-cs/\r\nhttps://www.rapid7.com/blog/post/2021/08/03/petitpotam-novel-attack-chain-can-fully-compromise-windows-domains-running-ad-cs/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.rapid7.com/blog/post/2021/08/03/petitpotam-novel-attack-chain-can-fully-compromise-windows-domains-running-ad-cs/"
	],
	"report_names": [
		"petitpotam-novel-attack-chain-can-fully-compromise-windows-domains-running-ad-cs"
	],
	"threat_actors": [],
	"ts_created_at": 1775434241,
	"ts_updated_at": 1775791311,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/70bd3d7cff6ca18bf2e3e06041971ef574c55fff.pdf",
		"text": "https://archive.orkl.eu/70bd3d7cff6ca18bf2e3e06041971ef574c55fff.txt",
		"img": "https://archive.orkl.eu/70bd3d7cff6ca18bf2e3e06041971ef574c55fff.jpg"
	}
}