New NTLM Relay Attack Lets Attackers Take Control Over Windows Domain

21-Jun-22

DFSCoerce is a new type of Windows NTLM relay attack that uses the Distributed File System (DFS): Namespace Management Protocol (MS-DFSNM) to take control of a domain. You want to relay despite having the Spooler service deactivated, RPC filters configured to prevent PetitPotam, and File Server VSS Agent Service not installed. In a tweet, security researcher Filip Dragovic wrote, Don’t worry, MS-DFSNM has your back.

For administering distributed file system configurations, MS-DFSNM provides a remote procedure call (RPC) interface. A well-known approach that exploits the challenge-response system is the NTLM (NT Lan Manager) relay attack. It allows hostile actors to sit between clients and servers and intercept and replay confirmed authentication requests, essentially acquiring an initial foothold in Active Directory setups. Read More…