Attackers Could Take Over Windows Domains Using New DFSCoerce NTLM Relay Attack
Researchers discovered a new DFSCoerce NTLM relay attack that could allow perpetrators to completely take over a Windows domain using Microsoft’s Distributed File System (MS-DFSNM).
Security researcher Filip Dragovic released the attack as a Proof-of-Concept (PoC) script. The script is based on an NTLM relay attack dubbed “DFSCoerce” that relays authentication attempts against servers through Microsoft’s Distributed File System.
The script is a derivative of PetitPotam, an exploit that allowed attackers to use Microsoft’s Encrypting File System Protocol (MS-EFSRPC) to trick servers into believing they have legitimate access. However, the newly discovered script uses MS-DFSNM instead of MS-EFSRPC, letting perpetrators manage Windows’ Distributed File System via a Remote Procedure Call (RPC) interface.
To manage user, device and service authentication on Windows domains, organizations mostly rely on Microsoft Active Directory Certificate Services, a public key infrastructure (PKI) service.
Although efficient, this service is prone to NTLM relay attacks that could allow threat actors to force domain controller authentications against malicious NTLM relays they control.
After receiving the forced authentication request, the relay would forward it to a domain’s Active Directory Certificate Services via HTTP and receive a Kerberos ticket-granting ticket (TGT). The ticket facilitates mimicking any device on the network, including a domain controller, to the attackers.
Impersonating a domain controller could grant threat actors elevated privileges, enabling them to take over completely and run any command on the compromised domain.
Although Microsoft has patched several vulnerable protocols against forced authentication attempts, perpetrators keep finding ways around the fixes. The company released an advisory on preventing PetitPotam NTLM relay attacks. Ways to mitigate the attack include:
- Enabling EPA and disabling HTTP on AD CS servers
- Disabling NTLM Authentication on Windows domain controllers
- Disabling NTLM for Internet Information Services (IIS) on Active Directory Certificate Services (AD CS) servers
- Disabling NTLM on AD CS servers using Group Policies (GPO)
Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data
May 24, 2022
John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight
April 15, 2022
Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users
April 14, 2022
Why and how to hide your IP address while traveling
April 13, 2022
How Bitdefender Can Help Restore Your Privacy in the Digital Age
April 04, 2022
How Strong is VPN Encryption?
February 28, 2022