A new DFSCoerce Windows NTLM relay attack has been observed using the Distributed File System of Microsoft (MS-DFSNM). The purpose behind this attack is to completely take over a Windows domain.
DFSCoerce: A NTLM relay attack
A researcher released a proof-of-concept script for a new NTLM relay attack named DFSCoerce. This attack uses the MS-DFSNM protocol to relay authentication against an arbitrary server.
The DFSCoerce script is based on the PetitPotam exploit and uses MS-DFSNM instead of MS-EFSRPC. MS-DFSNM allows the management of Windows DFS.
How does the attack work?
For this attack, researchers abused the Microsoft Active Directory Certificate Services, a public key infrastructure service used to authenticate services, users, and devices on a Windows domain.
This service is exposed to NTLM relay attacks, which is when attackers force a domain controller to authenticate against a malicious NTLM relay.
This malicious server then relays or forwards the authentication request to a domain's Active Directory Certificate Services through HTTP and grants a Kerberos ticket-granting ticket.
This ticket allows the attackers to assume the identity of any device on the network, including a domain controller. Subsequently, they elevate privileges to take over the domain and run any command.
Microsoft has patched some of these protocols to stop the unauthenticated takeovers, though attackers still bypass them. The best way to stop such attacks is to follow the guidelines suggested in the advisory released by Microsoft. Further, it is suggested to use Windows built-in RPC Filters or RPC firewall to protect the servers from such attacks.