1 min read

Attackers Could Take Over Windows Domains Using New DFSCoerce NTLM Relay Attack

Vlad CONSTANTINESCU

June 21, 2022

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Attackers Could Take Over Windows Domains Using New DFSCoerce NTLM Relay Attack

Researchers discovered a new DFSCoerce NTLM relay attack that could allow perpetrators to completely take over a Windows domain using Microsoft’s Distributed File System (MS-DFSNM).

Security researcher Filip Dragovic released the attack as a Proof-of-Concept (PoC) script. The script is based on an NTLM relay attack dubbed “DFSCoerce” that relays authentication attempts against servers through Microsoft’s Distributed File System.

The script is a derivative of PetitPotam, an exploit that allowed attackers to use Microsoft’s Encrypting File System Protocol (MS-EFSRPC) to trick servers into believing they have legitimate access. However, the newly discovered script uses MS-DFSNM instead of MS-EFSRPC, letting perpetrators manage Windows’ Distributed File System via a Remote Procedure Call (RPC) interface.

To manage user, device and service authentication on Windows domains, organizations mostly rely on Microsoft Active Directory Certificate Services, a public key infrastructure (PKI) service.

Although efficient, this service is prone to NTLM relay attacks that could allow threat actors to force domain controller authentications against malicious NTLM relays they control.

After receiving the forced authentication request, the relay would forward it to a domain’s Active Directory Certificate Services via HTTP and receive a Kerberos ticket-granting ticket (TGT). The ticket facilitates mimicking any device on the network, including a domain controller, to the attackers.

Impersonating a domain controller could grant threat actors elevated privileges, enabling them to take over completely and run any command on the compromised domain.

Although Microsoft has patched several vulnerable protocols against forced authentication attempts, perpetrators keep finding ways around the fixes. The company released an advisory on preventing PetitPotam NTLM relay attacks. Ways to mitigate the attack include:

  • Enabling EPA and disabling HTTP on AD CS servers
  • Disabling NTLM Authentication on Windows domain controllers
  • Disabling NTLM for Internet Information Services (IIS) on Active Directory Certificate Services (AD CS) servers
  • Disabling NTLM on AD CS servers using Group Policies (GPO)

tags


Author



Right now

Top posts

Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

May 24, 2022

3 min read
John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

April 15, 2022

3 min read
Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

April 14, 2022

3 min read
Why and how to hide your IP address while traveling

Why and how to hide your IP address while traveling

April 13, 2022

2 min read
How Bitdefender Can Help Restore Your Privacy in the Digital Age

How Bitdefender Can Help Restore Your Privacy in the Digital Age

April 04, 2022

3 min read
How Strong is VPN Encryption?

How Strong is VPN Encryption?

February 28, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Drunk worker loses USB stick containing details of every resident of his city Drunk worker loses USB stick containing details of every resident of his city
Graham CLULEY

June 27, 2022

3 min read
Researcher Discovers New MFA-bypassing Phishing Technique Based on Microsoft WebView2 Researcher Discovers New MFA-bypassing Phishing Technique Based on Microsoft WebView2
Vlad CONSTANTINESCU

June 27, 2022

2 min read
Internet Service Providers Help Spyware Vendor Infect iOS and Android Devices Internet Service Providers Help Spyware Vendor Infect iOS and Android Devices
Vlad CONSTANTINESCU

June 24, 2022

2 min read