New DFSCoerce NTLM Relay Attack Enables Hackers to Perform Windows Domain Takeover

Security researcher Filip Dragovic published a new DFSCoerce Windows NTLM relay attack that uses MS-DFSNM (Microsoft’s Distributed File System) to take over Windows domains.

Dragovic unveiled the script on Twitter on Saturday, alongside a link to a GitHub page detailing his findings.

For context, Microsoft Active Directory Certificate Services (ADCS) is a public key infrastructure (PKI) service typically used to authenticate users, services and devices on a given Windows domain.

The flaw discovered by Dragovic makes it possible to deploy NTLM relay attacks to force a domain controller to authenticate against a malicious NTLM relay under an attacker’s control.

The malicious server would subsequently relay the authentication request to a domain’s ADCS via HTTP and obtain a Kerberos ticket-granting ticket (TGT), allowing them to impersonate any device on the network.

If threat actors would assume the identity of a domain controller, which normally has elevated privileges, they could then execute arbitrary commands.

There are various methods to force a remote server to authenticate against a malicious NTLM relay, and the vulnerability Dragovic discovered is one of them.

“Spooler service disabled, RPC filters installed to prevent PetitPotam and File Server VSS Agent Service not installed but you still want to relay DC authentication to ADCS Don’t worry MS-DFSNM have your back ;),” the security researcher wrote in his tweet.

The proof-of-concept script is reportedly based on the PetitPotam exploit, but instead of using the MS-EFSRPC protocol, it relies on the MS-DFSNM, which allows the Windows DFS to be managed over an RPC interface.

Still, because the attacks are similar enough, following Microsoft’s advisory for PetitPotam may mitigate the severity of the flaw discovered by Dragovic.

According to the document, possible mitigation strategies include enabling protections like Extended Protection for Authentication (EPA), SMB signing, and turning off HTTP on ADCS servers.

Infosecurity Magazine has reached out to Microsoft to ask about a DFSCoerce-specific patch and will update this article with any additional comments from the company.

What’s Hot on Infosecurity Magazine?