In July 2021, PoC exploit for a critical security issue dubbed PetitPotam was published on GitHub. The security hole impacts Microsoft Active Directory Certificate Services and adversaries can leverage it during attacks on a large number of enterprises.

According to SANS Institute’s Internet Storm Center, attackers can abuse the security issue to exploit MS-EFSRPC initiating the authentication process within remote Windows instances and forcing them to reveal the NTLM hashes. Thus, exploitation of PetitPotam helps cybercriminals to access any domain services including the Domain Controller.

You can read "PetitPotam NTLM Relay Attack Detection" blog post to learn more about attack detection and mitigation.

Also, check Threat Detection Marketplace to find the rules for your security solution that help to uncover PetitPotam attacks.