New NTLM relay attack: threat actor can control the Windows domain

The attack named DFSCoerce leverages the Distributed File System to seize control of the domain

Attackers can forward servers and gain access to the domain with admin rights

A new Windows NTML relay attack has been discovered. It uses MS-DFSNM, Microsoft's Distributed File System, and allows the complete takeover of the Windows domain.^[1] The Microsoft Active Directory Certificate Services feature is utilized by many organizations. The public key infrastructure service is used to authenticate users, services, and devices on the Windows domain.

The service, however, is vulnerable to these NTML attacks.^[2] Attackers manage to force a domain controller to authenticate against a malicious relay under the control of a dangerous actor. The server then forwards – relays the request for authentication to the domain's Active Directory Certificate Services via HTTP and finally gets granted a Kerberos ticket.

This TGT ticket allows hackers to assume the identity of any of the services that are connected via this network. It can be any device including the domain controller. Hackers can impersonate domain controllers and gain elevated privileges whits way. Attackers can take control over the domain and run any commands.^[3]

Various methods get used to coerce the remote server

Threat actors manage to coerce a remote server to authenticate against malicious NTML relay thanks to the different methods. MS-RPRN, MS-EFSRPC – PetitPotam,^[4] MS-FSRVP protocols can be abused. Microsoft manager to patch some of them to prevent the unauthenticated coercion, but it is possible to bypass them and allow the protocol abuse again.

These NTLM relay attacks are commonly used to exploit the challenge-response mechanism and allow the malicious attacker to sit between clients and particular servers. This intercepts and forwards the validated authentication requests to gain the access to wanted network resources. Attackers can gain a foothold in Active Directory environments.

The new attack dubbed DFSCoerce

The attack got reported by security researchers that released^[5] a proof-of-concept script for this new NTML relay attack that uses Microsoft's Distributed File System protocol to forward the authentication against the arbitrary server. It is based on the well-known PetitPotam exploit, but there are particular features separating the two.

Filip Dragovic, who reported the issue stated that this new DFSCoerce script uses the MS-DFSNM protocol instead of the common MS-EFSRPC. The protocol allows the Windows Distributed File System to be managed via the RPC interface. testing the NTLM relay attack shows that it is easy to get the user with limited access to a Windows domain to become an admin of the domain.

This is a known issue that is addressed and Microsoft tries to find solutions for the attack avoidance. To mitigate these relay attacks, it is possible to enable protections like Extended Protection for Authentication, SMB signing, and turning off HTTP on AD CS servers. Microsoft should address this new vector too, so they need to update users on this issue further.

It is best to follow existing mitigation tips for the PetitPotam NTLM relay attack, so Windows credentials can be protected. Other methods can include using the Windows' built-in RPX Filters or Firewall, so the server coercion via MS-DFSNM protocol can be avoided.