PetitPotam (NTLM Coercion via EFSRPC)¶
What it is¶
Forces a target (often a Domain Controller) to authenticate to an attacker-controlled host via NTLM.
Why it matters¶
- Enables NTLM relay
- Common path to AD CS abuse
- Can lead to Domain Admin under the right conditions
Requirements¶
- Network access to target
- NTLM enabled
- Relay target available (e.g., AD CS, SMB, LDAP)
Attack Flow¶
- Trigger EFSRPC call
- Target initiates NTLM auth
- Relay authentication
- Gain elevated access
Detection / Artifacts¶
- EFSRPC traffic
- Unusual NTLM auth attempts
Related Attacks¶
- PrinterBug
- DFSCoerce
- ShadowCoerce