e1e6e9f0-1825-4f22-ab9a-f1a238843c01
PetitPotam abuses the Encrypting File System (MS-EFSRPC) protocol, which is designed for performing maintenance and management operations on encrypted data that is stored remotely and accessed over a network. An unauthenticated attacker can use PetitPotam to get a targeted server to connect to their server and perform NTLM authentication.
https://www.bleepingcomputer.com/news/microsoft/new-petitpotam-attack-allows-take-over-of-windows-domains/
https://thehackernews.com/2021/07/new-petitpotam-ntlm-relay-attack-lets.html
https://twitter.com/gentilkiwi/status/1418700887195795456
https://support.microsoft.com/en-gb/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429
https://github.com/gentilkiwi/mimikatz/releases
Security Researchers and Microsoft recommend that on Windows Server Domain Controllers, the Windows feature "Certificate Enrollment Web Service" is removed since it is not needed in most cases and represent a security risk