Security News > 2022 > June > New DFSCoerce NTLM Relay attack allows Windows domain takeover
A new DFSCoerce Windows NTLM relay attack has been discovered that uses MS-DFSNM, Microsoft's Distributed File System, to completely take over a Windows domain.
This service is vulnerable to NTLM relay attacks, which is when threat actors force, or coerce, a domain controller to authenticate against a malicious NTLM relay under an attacker's control.
This week, security researcher Filip Dragovic released a proof-of-concept script for a new NTLM relay attack called 'DFSCoerce' that uses Microsoft's Distributed File System protocol to relay authentication against an arbitrary server.
Security researchers who have tested the new NTLM relay attack have told BleepingComputer that it easily allows a user with limited access to a Windows domain to become a domain admin.
Researchers tell BleepingComputer that the best way to prevent these types of attacks is to follow Microsoft's advisory on mitigating the PetitPotam NTLM relay attack.
These mitigations include disabling NTLM on domain controllers and enabling Extended Protection for Authentication and signing features, such as SMB signing, to protect Windows credentials.
News URL
Related news
- Windows Themes zero-day bug exposes users to NTLM credential theft (source)
- Windows infected with backdoored Linux VMs in new phishing attacks (source)
- Microsoft patches Windows zero-day exploited in attacks on Ukraine (source)
- New Windows zero-day exposes NTLM credentials, gets unofficial patch (source)
- Micropatchers share 1-instruction fix for NTLM hash leak flaw in Windows 7+ (source)
- Microsoft enforces defenses preventing NTLM relay attacks (source)
- Windows kernel bug now exploited in attacks to gain SYSTEM privileges (source)