Security News > 2022 > June > New DFSCoerce NTLM Relay attack allows Windows domain takeover
A new DFSCoerce Windows NTLM relay attack has been discovered that uses MS-DFSNM, Microsoft's Distributed File System, to completely take over a Windows domain.
This service is vulnerable to NTLM relay attacks, which is when threat actors force, or coerce, a domain controller to authenticate against a malicious NTLM relay under an attacker's control.
This week, security researcher Filip Dragovic released a proof-of-concept script for a new NTLM relay attack called 'DFSCoerce' that uses Microsoft's Distributed File System protocol to relay authentication against an arbitrary server.
Security researchers who have tested the new NTLM relay attack have told BleepingComputer that it easily allows a user with limited access to a Windows domain to become a domain admin.
Researchers tell BleepingComputer that the best way to prevent these types of attacks is to follow Microsoft's advisory on mitigating the PetitPotam NTLM relay attack.
These mitigations include disabling NTLM on domain controllers and enabling Extended Protection for Authentication and signing features, such as SMB signing, to protect Windows credentials.
- New Windows PetitPotam NTLM Relay attack vector fixed in May updates (source)
- Microsoft fixes new PetitPotam Windows NTLM Relay attack vector (source)
- New NTLM Relay Attack Lets Attackers Take Control Over Windows Domain (source)
- Microsoft fixes new NTLM relay zero-day in all Windows versions (source)
- Microsoft patches Windows LSA spoofing zero-day under active attack (CVE-2022-26925) (source)
- Hackers have carried out over 65,000 attacks through Windows’ Print Spooler exploit (source)
- Microsoft closes Windows LSA hole under active attack (source)
- Microsoft shares mitigation for Windows KrbRelayUp LPE attacks (source)
- Windows zero-day exploited in US local govt phishing attacks (source)
- Qbot malware now uses Windows MSDT zero-day in phishing attacks (source)