A new DFSCoerce Windows NTLM relay attack has been discovered that uses Microsoft’s distributed file system MS-DFSNM to completely take over a Windows domain.
Many organizations use Microsoft Active Directory Certificate Services, a public key infrastructure (PKI) service that is used to authenticate users, services, and devices on a Windows domain.
However, this service is vulnerable to NTLM relay attacks, where threat actors force or force a domain controller to authenticate against a malicious NTLM relay under the control of an attacker.
This malicious server would then forward or forward the authentication request to a domain’s Active Directory Certificate Services over HTTP and eventually get a Kerberos ticket-granting ticket (TGT). This ticket allows the threat actors to assume the identity of any device on the network, including a domain controller.
Once impersonated as a domain controller, they have elevated privileges that allow the attacker to take over the domain and execute any command.
While Microsoft has patched some of these protocols to prevent unauthenticated coercion, bypasses are often found that allow the protocols to continue to be exploited.
A New MS-DFSNM NTLM Relay Attack
This week, security researcher Filip Dragovico released a proof-of-concept script for a new NTLM relay attack called ‘DFSCoerce‘ which uses Microsoft’s Distributed File System protocol (MS-DFSNM) to pass authentication against any server.
The DFSCoerce script is based on the PetitPotam exploit, but instead of using MS-EFSRPC, it uses MS-DFSNM, a protocol that allows the Windows Distributed File System (DFS) to be managed through an RPC interface.
Security researchers who tested the new NTLM relay attack told BleepingComputer that a user with limited access to a Windows domain can easily become a domain administrator.
Researchers tell BleepingComputer that the best way to prevent these types of attacks is to follow Advice from Microsoft on mitigating the PetitPotam NTLM relay attack.
However, it is currently unknown whether blocking the DFS RPC connection would cause problems on a network.
BleepingComputer has contacted Microsoft to find out if they plan to patch this new vector and will update the article with their response.