Security News > 2022 > June > New NTLM Relay Attack Lets Attackers Take Control Over Windows Domain
A new kind of Windows NTLM relay attack dubbed DFSCoerce has been uncovered that leverages the Distributed File System: Namespace Management Protocol to seize control of a domain.
"Spooler service disabled, RPC filters installed to prevent PetitPotam and File Server VSS Agent Service not installed but you still want to relay ? Don't worry MS-DFSNM have your back," security researcher Filip Dragovic said in a tweet.
The NTLM relay attack is a well-known method that exploits the challenge-response mechanism.
Windows servers, including domain controllers, into authenticating with a relay under an attacker's control, letting threat actors potentially take over an entire domain.
"By relaying an NTLM authentication request from a domain controller to the Certificate Authority Web Enrollment or the Certificate Enrollment Web Service on an AD CS system, an attacker can obtain a certificate that can be used to obtain a Ticket Granting Ticket from the domain controller," the CERT Coordination Center noted, detailing the attack chain.
To mitigate NTLM relay attacks, Microsoft recommends enabling protections like Extended Protection for Authentication, SMB signing, and turning off HTTP on AD CS servers.
News URL
https://thehackernews.com/2022/06/new-ntlm-relay-attack-lets-attackers.html
Related news
- Windows NTLM vulnerability exploited in multiple attack campaigns (CVE-2025-24054) (source)
- Windows NTLM hash leak flaw exploited in phishing attacks on governments (source)
- Blind Eagle Hacks Colombian Institutions Using NTLM Flaw, RATs and GitHub-Based Attacks (source)
- EncryptHub linked to MMC zero-day attacks on Windows systems (source)
- New Windows zero-day leaks NTLM hashes, gets unofficial patch (source)
- CVE-2025-24054 Under Active Attack—Steals NTLM Credentials on File Download (source)