Overview
NTLM relay attacks remain one of the most effective techniques for Active Directory compromise in 2025. Newer tooling and AD CS certificate abuse have made these attacks faster and more reliable, even against hardened environments.
Attack Chain
- Trigger NTLM Auth — Coerce machine account authentication via PetitPotam, PrinterBug, or DFSCoerce
- Relay to AD CS (ESC8) — Forward the NTLM authentication to the Certificate Authority Web Enrollment endpoint
- Obtain Certificate — Request a certificate on behalf of the Domain Controller machine account
- PKINIT / Shadow Credentials — Use the certificate to obtain a TGT or add a shadow credential
- DCSync — Dump all domain hashes and achieve full domain compromise
# Relay to AD CS with impacket
ntlmrelayx.py -t http://ca-server/certsrv/certfnsh.asp --adcs --template DomainController
certipy auth -pfx dc01.pfx -domain corp.local
secretsdump.py -k dc01.corp.local
Mitigations
- Enable EPA (Extended Protection for Authentication) on all AD CS web endpoints
- Disable NTLM where possible and enforce Kerberos authentication
- Enable SMB signing and LDAP signing + channel binding via GPO
- Audit AD CS templates for ESC1–ESC8 misconfigurations using Certipy
- Block MS-RPRN and MS-EFSRPC at the firewall to prevent coercion