Attivo Networks Blogs

PetitPotam Attack – Have You Hardened Your Active Directory?

Written by: Venu Vissamsetty – VP Security Research, Attivo Networks – Security researcher Gilles Lionel recently disclosed an attack technique named PetitPotam, allowing attackers to achieve domain compromise with just network access to the Enterprise infrastructure. The technique is a classic NTLM relay attack on any offered server services (e.g., a domain controller). Lionel also released proof-of-concept code on GitHub, demonstrating how attackers can use this specific attack technique to achieve domain compromise. Several other security researchers confirmed the severity and impact of this attack technique soon afterward.

As per the Microsoft advisory, customers are vulnerable to this attack if they are using Active Directory Certificate Servers (AD CS) with any of the following services:

  • Certificate Authority Web Enrollment
  • Certificate Enrollment Web Service

The technique forces a domain controller to authenticate against a malicious NTLM relay (using the MS-EFSRPC protocol), allowing attackers to obtain the NTLM credentials for the DC, which they then send to the domain’s Active Directory Certificate Services through HTTP. The attacker will eventually obtain a Kerberos ticket-granting ticket (TGT) that would allow them to take the identity of any device on the network, even a domain controller, leading to domain compromise.

With attack techniques such as these, it becomes increasingly important to continuously monitor for misconfigurations, exposures, and use of legacy protocols in an Active Directory.

Attackers targeting PetitiPotam attack discover servers running AD CS with Web enrollment.

Attivo customers can use the ADSecure solution’s capability to:

  • Detect attackers early in the attack cycle as they conduct discovery activities to find servers
  • Redirect attackers by hiding actual results and returning fake information leading to decoy servers
  • Get real-time visibility into attempts to discover domain controllers through unauthorized queries

The Attivo ADSecure solution also protects against attackers exploiting this vulnerability to generate a Golden Ticket attack.

The Attivo ADAssessor solution provides visibility into critical domain-, computer-, and user-level exposures and weak configurations. “Weak SMB Signing” exposure detection in ADAssessor is a Domain level exposure that looks at the SMB configuration in the Domain. This exposure will detect and highlight if the Domain does not have SMB signing configured. Attivo customers who have deployed the ADAssessor solution and have taken measures to remediate are protected from this PetitPotam technique. The following screenshot details how Attivo ADAssessor would report the exposure due to “Weak SMB Signing” and the related remediation recommendations.

There are additional ways to prevent attackers from using this specific technique in the enterprise:

1.Recommendations from Benjamin Delpy, the SME on AD Attacks

2.Recommendations from Microsoft

There have been multiple attack and vulnerability disclosures around Microsoft Active Directory lately. A continuous assessment of exposures and misconfigurations around Active Directory would go a long way in ensuring attackers don’t leverage these in an organization’s infrastructure. Get a free assessment using the Attivo ADAssessor here.

Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free


Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

Newsletter Signup

    Yes, please opt me in to receive your quarterly newsletter, event invitations, and product updates.

    I understand that I can opt out at any time, and can refer to Attivo Networks Privacy Policy for more information.
  • This field is for validation purposes and should be left unchanged.

ADSecure 90-Day Free Trial


  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise


Leave a Comment

Your email address will not be published.

seventeen − 8 =

Ready to find out what’s lurking in your network?

Scroll to Top