New NTLM Relay Attack Allows Attackers to Take Control of Windows Domain

A new type of Windows NTLM relay attack dubbed DFSCoerce has been discovered that leverages the Distributed File System (DFS): Namespace Management Protocol (MS-DFSNM) to gain control of a domain.

“Spooler service disabled, RPC filters installed to prevent PetitPotam and File Server VSS Agent Service not installed but you still want to relay [Domain Controller authentication to [Active Directory Certificate Services]? Don’t worry, MS-DFSNM has (sic) your back”, Filip Dragovic, security researcher said in a tweet.

cyber security

MS-DFSNM provides a remote procedure call (RPC) interface for administering distributed file system configurations.

The NTLM (NT Lan Manager) relay attack is a well-known method that exploits the challenge-response mechanism. It allows malicious parties to sit between clients and servers and intercept and relay validated authentication requests to gain unauthorized access to network resources, effectively gaining a foothold in Active Directory environments.

DFSCoerce’s discovery follows a similar method called PetitPotam that abuses Microsoft’s Encrypting File System Remote Protocol (MS-EFSRPC) to coerce Windows servers, including domain controllers, into authenticating with a relay. under the control of an attacker, allowing hackers to potentially take control of an entire domain.

cyber security

“By relaying an NTLM authentication request from a domain controller to the CA web enrollment or certificate enrollment web service on an AD CS system, an attacker can obtain a certificate that can be used to obtain a Ticket Granting Ticket (TGT) from the domain controller”, the CERT Coordination Center (CERT/CC) Noteddetailing the chain of attack.

To mitigate NTLM relay attacks, Microsoft recommends enabling protections such as Extended Authentication Protection (EPA), SMB signing, and disabling HTTP on AD CS servers.

Comments are closed.