Threat Intel: PetitPotam Certificate Enrollment Web Service on Domain Controller


PetitPotam abuses the Encrypting File System (MS-EFSRPC) protocol, which is designed for performing maintenance and management operations on encrypted data that is stored remotely and accessed over a network. An unauthenticated attacker can use PetitPotam to get a targeted server to connect to their server and perform NTLM authentication.


Security Researchers and Microsoft recommend that on Windows Server Domain Controllers, the Windows feature "Certificate Enrollment Web Service" is removed since it is not needed in most cases and represent a security risk