Security News > 2022 > June > New DFSCoerce NTLM Relay attack allows Windows domain takeover

New DFSCoerce NTLM Relay attack allows Windows domain takeover
2022-06-20 20:35

A new DFSCoerce Windows NTLM relay attack has been discovered that uses MS-DFSNM, Microsoft's Distributed File System, to completely take over a Windows domain.

This service is vulnerable to NTLM relay attacks, which is when threat actors force, or coerce, a domain controller to authenticate against a malicious NTLM relay under an attacker's control.

This week, security researcher Filip Dragovic released a proof-of-concept script for a new NTLM relay attack called 'DFSCoerce' that uses Microsoft's Distributed File System protocol to relay authentication against an arbitrary server.

Security researchers who have tested the new NTLM relay attack have told BleepingComputer that it easily allows a user with limited access to a Windows domain to become a domain admin.

Researchers tell BleepingComputer that the best way to prevent these types of attacks is to follow Microsoft's advisory on mitigating the PetitPotam NTLM relay attack.

These mitigations include disabling NTLM on domain controllers and enabling Extended Protection for Authentication and signing features, such as SMB signing, to protect Windows credentials.

News URL