Pierluigi Paganini June 21, 2022

Experts discovered a new kind of Windows NTLM relay attack dubbed DFSCoerce that allows taking control over a Windows domain.

Researchers warn of a new Windows NTLM relay attack dubbed DFSCoerce that can be exploited by threat actors to take control over a Windows domain.

The DFSCoerce attack relies on the Distributed File System (DFS): Namespace Management Protocol (MS-DFSNM) to take full control over a Windows domain. The Distributed File System (DFS): Namespace Management Protocol provides an RPC interface for administering DFS configurations.

The security researcher Filip Dragovic published a proof-of-concept script for the new NTLM relay attack.

The PoC is based on the PetitPotam exploit, and abuse the MS-DFSNM protocol instead of using the MS-EFSRPC.

The popular CERT/CC Expert Will Dormann confirmed that the attack could allow threat actors to obtain Ticket Granting Ticket (TGT) from the domain controller.

To mitigate the attack, researchers suggest following Microsoft’s advisory for the mitigation of the PetitPotam NTLM relay attack, such as disabling the NTLM on domain controllers and enabling Extended Protection for Authentication (EPA) and signing features, and turning off HTTP on AD CS servers.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, DFSCoerce)

[adrotate banner=”5″]

[adrotate banner=”13″]