PetitPotam: make a domain controller authenticate to you, relay it, own the domain
CVE-2021-36942 lets an attacker coerce a Windows machine, including a domain controller, into authenticating to them. Relay that to Active Directory Certificate Services and you can mint a certificate as the DC. It's an Active Directory configuration problem as much as a patch.
PetitPotam, CVE-2021-36942, is one of the cleaner illustrations of how Active Directory gets taken over without a memory-corruption exploit in sight. It abuses the MS-EFSRPC protocol (the Encrypting File System Remote Protocol) to coerce a Windows machine, crucially including a domain controller, into authenticating to an attacker-chosen destination. On its own, that’s a forced authentication. Chained with NTLM relay to Active Directory Certificate Services (AD CS), if the AD CS web-enrollment interface is exposed and not hardened, the attacker relays the DC’s authentication to AD CS, requests a certificate as the domain controller, and uses it to act as the DC, which is domain takeover. It joins Zerologon and noPac as a path from network access to the whole directory.
What it is, and why it’s part patch and part config
Microsoft addressed the EFSRPC coercion vector with updates (and the broader relay-to-AD CS issue through subsequent hardening guidance), but PetitPotam is fundamentally an Active Directory configuration weakness as much as a single bug. The takeover requires three conditions to line up: a coercion method (PetitPotam is one of several; PrinterBug and others exist too), NTLM authentication being relayable, and an AD CS endpoint that accepts relayed authentication. Patching the specific coercion method helps, but attackers have multiple coercion techniques, so the durable defense is in the configuration: stop NTLM relay from succeeding against AD CS. CISA lists it with the ransomware flag.
The lesson: AD CS and NTLM relay are an under-defended attack surface
The broader point, reinforced by the wave of AD CS research (the “Certified Pre-Owned” work and the ESC techniques), is that Active Directory Certificate Services is a powerful, often-misconfigured system that can be turned into domain compromise, and NTLM relay is the glue. Most organizations deployed AD CS years ago and never hardened it against relay. The defensive work is configuration review, not just patching:
- Disable NTLM where you can, and enforce signing/EPA where you can’t. Enable Extended Protection for Authentication (EPA) and require HTTPS/signing on the AD CS web-enrollment endpoints, and remove NTLM as an accepted authentication method for AD CS.
- Remove or restrict the AD CS web-enrollment roles if you don’t need them, and don’t expose them broadly.
- Audit AD CS template and enrollment permissions for the ESC misconfigurations that make abuse easy.
What to do
- Apply the Microsoft updates for the coercion vector, and follow Microsoft’s KB5005413 guidance on preventing NTLM relay attacks on AD CS.
- Harden AD CS against relay, enable EPA, require signing, disable NTLM to AD CS, the configuration changes are the load-bearing defense given multiple coercion methods exist.
- Reduce NTLM use domain-wide. Move toward Kerberos and disable NTLM where feasible; NTLM relay underpins this and several related attacks.
- Monitor for coercion and anomalous certificate requests, EFSRPC/printer-coercion patterns, and machine-account certificate enrollments that don’t fit normal operation.
- Treat AD CS as tier-zero, because a path through it ends at domain admin.
The reframe is to recognize that Active Directory’s takeover paths increasingly run through configuration and protocol design, NTLM relay, AD CS misconfiguration, coercion, rather than classic memory bugs, and to defend accordingly. PetitPotam is patchable in part, but the real fix is hardening AD CS so relayed authentication can’t mint a domain-controller certificate. Patch the coercion vector, harden AD CS against relay, cut down NTLM, and audit your certificate services. We flag the AD and AD CS entries with maximum weight, because they’re the techniques that quietly end with someone holding a domain-admin certificate.
Sources
Share
Related field notes
-
noPac: any domain user to Domain Admin, no exploit code required
CVE-2021-42278 and CVE-2021-42287 chain into 'noPac,' which takes a standard domain user to Domain Admin in about one command. There's no memory corruption, just abused Active Directory name handling, riding on a default that lets ordinary users create computer accounts.
-
Zerologon: a crypto mistake that hands over the domain in seconds
CVE-2020-1472 is a cryptographic flaw in the Netlogon protocol that lets an unauthenticated attacker with network access to a domain controller reset its machine-account password to empty, becoming domain admin. CVSS 10, no credentials, seconds to exploit.
-
BlueKeep: the wormable RDP bug Microsoft patched Windows XP for
CVE-2019-0708 was a pre-authentication, wormable RCE in Windows Remote Desktop. Microsoft was scared enough of a WannaCry repeat that it shipped patches for end-of-life XP and Server 2003. The worm never fully came, but the lesson did: RDP doesn't belong on the internet.
One email, every weekday morning.
You're in. Check your inbox.