Researchers have uncovered a newly identified DFSCoerce Windows NTLM relay threat campaign that uses the MS-DFSNM, Microsoft’s Distributed File System, that aids hackers in controlling a Windows domain.
Almost all organisations use the Microsoft Active Directory Certificate services since it is a public key infrastructure service utilised for authenticating users, devices, and services on a Windows domain. However, this Microsoft service is prone to NTLM relay attacks since threat actors can force a domain controller to authenticate a malicious NTML they control.
Subsequently, the malicious server can then relay, or forward, the authentication request to a domain’s Active Directory Certificate Services through an HTTP and will grant a ticket-granting ticket (TGT). This ticket can enable the adversaries to claim the identity of any device on the network.
Once the attackers have acted as domain controllers, they will obtain elevated privileges that will allow them to control the Windows domain and operate any command.
The threat actors could also use various methods to coerce a remote server to authenticate against a malicious NTLM relay. These methods include the MS-FSRVP protocols, MS-EFSRPC, and MS-RPRN.
Cybersecurity researchers released a PoC script for a new NTLM relay campaign dubbed DFSCoerce. The newly discovered attack can use the MS-DFSNM protocol to disseminate authentication against an arbitrary server.
The PetitPotam exploit inspired the DFSCoerce script. However, it uses the MS-DFSNM instead of the MS-EFSRPC since the former can allow the Window Distributed File System to be managed by an RPC interface.
The researchers who have analysed the attack have stated that the NTLM campaign could easily grant a user a domain admin privilege. Additionally, the researchers indicated that the best method to prevent such an attack is to follow Microsoft’s advisory on mitigating the NTLM relay attack.
One mitigation advisory includes the deactivation of NTLM on domain controllers and activating the Extended Protection for Authentication and singing features. Other methods use the Windows’ default RPC Firewall to prevent a server from being coerced through the MS-DFSNM protocol.
Unfortunately, it is still unknown whether blocking the DFS RPC connection would cause problems on a network.
