Experts discovered a new kind of Windows NTLM relay attack dubbed DFSCoerce that allows taking control over a Windows domain.

Researchers warn of a new Windows NTLM relay attack dubbed DFSCoerce that can be exploited by threat actors to take control over a Windows domain.

The DFSCoerce attack relies on the Distributed File System (DFS): Namespace Management Protocol (MS-DFSNM) to take full control over a Windows domain. The Distributed File System (DFS): Namespace Management Protocol provides an RPC interface for administering DFS configurations.

The security researcher Filip Dragovic published a proof-of-concept script for the new NTLM relay attack.

The PoC is based on the PetitPotam exploit, and abuse the MS-DFSNM protocol instead of using the MS-EFSRPC.

Spooler service disabled, RPC filters installed to prevent PetitPotam and File Server VSS Agent Service not installed but you still want to relay DC authentication to ADCS?Don’t worry MS-DFSNM have your back https://t.co/idwMnM8nIV pic.twitter.com/pTHePYLLMs— Filip Dragovic (@filip_dragovic) June 18, 2022The popular CERT/CC Expert Will Dormann confirmed that the attack could allow threat actors to obtain Ticket Granting Ticket (TGT) from the domain controller.

Yep, this works. Just like the attack chain starting with PetitPotam works.You all already knew that if you didn’t already apply the PetitPotam mitigations from last August the entire attack chain still works today as it was originally described, right?https://t.co/vbnf9OKOKB https://t.co/pLs7AScn6k pic.twitter.com/Z3IqK0F3ir— Will Dormann (@wdormann) June 20, 2022To mitigate the attack, researchers suggest following Microsoft’s advisory for the mitigation of the PetitPotam NTLM relay attack, such as disabling the NTLM on domain controllers and enabling Extended Protection for Authentication (EPA) and signing features, and turning off HTTP on AD CS servers.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}
Pierluigi Paganini

(SecurityAffairs – hacking, DFSCoerce)

The post New DFSCoerce NTLM relay attack allows taking control over Windows domains appeared first on Security Affairs.