A new kind of Windows NTLM relay attack dubbed DFSCoerce was discovered that uses Microsoft’s Distributed File System (DFS): Namespace Management Protocol (MS-DFSNM) to completely takeover a Windows domain.
Many organizations utilize Microsoft Active Directory Certificate Services, a public key infrastructure (PKI) service that is used to authenticate users, services, and devices on a Windows domain.
However, this service is vulnerable to NTLM relay attacks, which is when threat actors force, or coerce, a domain controller to authenticate against a malicious NTLM relay under an attacker’s control.
MS-DFSNM provides a remote procedure call (RPC) interface for administering distributed file system configurations.
The NTLM (NT Lan Manager) relay attack is a famous method that exploits the challenge-response mechanism. It allows malicious parties to sit between clients and servers and intercept and relay validated authentication requests in order to gain unauthorized access to network resources, effectively gaining an initial foothold in Active Directory environments.
The discovery of DFSCoerce follows a similar method called PetitPotam that abuses Microsoft’s Encrypting File System Remote Protocol (MS-EFSRPC) to coerce Windows servers, including domain controllers, into authenticating with a relay under an attacker’s control, letting threat actors potentially take over an entire domain.
By relaying an NTLM authentication request from a domain controller to the Certificate Authority Web Enrollment or the Certificate Enrollment Web Service on an AD CS system, an attacker can obtain a certificate that can be used to obtain a Ticket Granting Ticket (TGT) from the domain controller.
To mitigate NTLM relay attacks, Microsoft recommends enabling protections like Extended Protection for Authentication (EPA), SMB signing, and turning off HTTP on AD CS servers.