Researchers discovered a new DFSCoerce NTLM relay attack that could allow perpetrators to completely take over a Windows domain using Microsoft’s Distributed File System (MS-DFSNM).
Security researcher Filip Dragovic released the attack as a Proof-of-Concept (PoC) script. The script is based on an NTLM relay attack dubbed “DFSCoerce” that relays authentication attempts against servers through Microsoft’s Distributed File System.
The script is a derivative of PetitPotam, an exploit that allowed attackers to use Microsoft’s Encrypting File System Protocol (MS-EFSRPC) to trick servers into believing they have legitimate access. However, the newly discovered script uses MS-DFSNM instead of MS-EFSRPC, letting perpetrators manage Windows’ Distributed File System via a Remote Procedure Call (RPC) interface.
To manage user, device and service authentication on Windows domains, organizations mostly rely on Microsoft Active Directory Certificate Services, a public key infrastructure (PKI) service.
Although efficient, this service is prone to NTLM relay attacks that could allow threat actors to force domain controller authentications against malicious NTLM relays they control.
After receiving the forced authentication request, the relay would forward it to a domain’s Active Directory Certificate Services via HTTP and receive a Kerberos ticket-granting ticket (TGT). The ticket facilitates mimicking any device on the network, including a domain controller, to the attackers.
Impersonating a domain controller could grant threat actors elevated privileges, enabling them to take over completely and run any command on the compromised domain.
Although Microsoft has patched several vulnerable protocols against forced authentication attempts, perpetrators keep finding ways around the fixes. The company released an advisory on preventing PetitPotam NTLM relay attacks. Ways to mitigate the attack include:
tags
Vlad's love for technology and writing created rich soil for his interest in cybersecurity to sprout into a full-on passion. Before becoming a Security Analyst, he covered tech and security topics.
View all postsSeptember 06, 2024
September 02, 2024
August 13, 2024