Attackers Could Take Over Windows Domains Using New DFSCoerce NTLM Relay Attack

Total Security For Mac

Researchers discovered a new DFSCoerce NTLM relay attack that could allow perpetrators to completely take over a Windows domain using Microsoft’s Distributed File System (MS-DFSNM).

Security researcher Filip Dragovic released the attack as a Proof-of-Concept (PoC) script. The script is based on an NTLM relay attack dubbed “DFSCoerce” that relays authentication attempts against servers through Microsoft’s Distributed File System.

The script is a derivative of PetitPotam, an exploit that allowed attackers to use Microsoft’s Encrypting File System Protocol (MS-EFSRPC) to trick servers into believing they have legitimate access. However, the newly discovered script uses MS-DFSNM instead of MS-EFSRPC, letting perpetrators manage Windows’ Distributed File System via a Remote Procedure Call (RPC) interface.

To manage user, device and service authentication on Windows domains, organizations mostly rely on Microsoft Active Directory Certificate Services, a public key infrastructure (PKI) service.

Although efficient, this service is prone to NTLM relay attacks that could allow threat actors to force domain controller authentications against malicious NTLM relays they control.

After receiving the forced authentication request, the relay would forward it to a domain’s Active Directory Certificate Services via HTTP and receive a Kerberos ticket-granting ticket (TGT). The ticket facilitates mimicking any device on the network, including a domain controller, to the attackers.

Impersonating a domain controller could grant threat actors elevated privileges, enabling them to take over completely and run any command on the compromised domain.

Although Microsoft has patched several vulnerable protocols against forced authentication attempts, perpetrators keep finding ways around the fixes. The company released an advisory on preventing PetitPotam NTLM relay attacks. Ways to mitigate the attack include:

  • Enabling EPA and disabling HTTP on AD CS servers
  • Disabling NTLM Authentication on Windows domain controllers
  • Disabling NTLM for Internet Information Services (IIS) on Active Directory Certificate Services (AD CS) servers
  • Disabling NTLM on AD CS servers using Group Policies (GPO)