ADCS + PetitPotal NTLM Relay

Already explained pretty well in these both articles :

ADCS + PetitPotam NTLM Relay: Obtaining krbtgt Hash with Domain Controller Machine CertificateRed Teaming Experiments

From Stranger to DA // Using PetitPotam to NTLM relay to Domain Administrato - TruesecTruesec