New NTLM Relay Attack Allows Attackers to Take Control of Windows Domain

A new type of Windows NTLM relay attack called DFSCoerce was discovered that exploits the Distributed File System (DFS): Namespace Management Protocol (MS-DFSNM) to take control of a domain.

“Spooler service disabled, RPC filters installed to prevent PetitPotam and File Server VSS Agent Service not installed but you still want to relay [Domain Controller authentication to [Active Directory Certificate Services]? Don’t worry, MS-DFSNM has (sic) your back”, Filip Dragovic, security researcher said in a tweet.

cyber security

MS-DFSNM provides a remote procedure call (RPC) interface for administering distributed file system configurations.

The NTLM (NT Lan Manager) relay attack is a well-known method that exploits the challenge-response mechanism. It allows malicious parties to sit between clients and servers and intercept and relay validated authentication requests to gain unauthorized access to network resources, effectively gaining a foothold in Active Directory environments.

The discovery of DFSCoerce follows a similar method called PetitPotam which abuses Microsoft’s Encrypting File System Remote Protocol (MS-EFSRPC) to force Windows servers, including domain controllers, to authenticate to a relay under the control of an attacker, allowing hackers to potentially take control of an entire domain.

cyber security

“By relaying an NTLM authentication request from a domain controller to the CA web enrollment or certificate enrollment web service on an AD CS system, an attacker can obtain a certificate that can be used to obtain a Ticket Granting Ticket (TGT) from the domain controller”, the CERT Coordination Center (CERT/CC) Noteddetailing the attack chain.

To mitigate NTLM relay attacks, Microsoft recommended enabling protections such as Extended Protection for Authentication (EPA), SMB signing, and disabling HTTP on AD CS servers.