The recently published DFSCoerce PoC exploit uses the MS-DFSNM file system to take over Windows domains. This exploit is conceptually similar to the sensational PetitPotam attack.
Let me remind you that we recently talked about how LockFile ransomware adopts ProxyShell and PetitPotam vulnerabilities.
Filip Dragovich published a PoC script called “DFSCoerce” to attack an NTLM relay.
The script uses the Microsoft Distributed File System protocol to relay authentication data to an arbitrary server, which can allow attackers to take control of the victim’s Windows domain.
The DFSCoerce discovery followed a similar attack called PetitPotam, which enabled attackers to take control of a Windows domain.
Let me remind you that we talked about the fact that Microsoft Has Not Fully Coped with PetitPotam Attacks in Windows NTLM Relay.
Although Microsoft refers to this entire chain of attacks as “PetitPotam”, it is important to understand that PetitPotam is simply one of the PoC exploits used to invoke an NTLM authentication request via an EfsRpcOpenFileRaw request. It should be noted that there may be other methods that can provoke Windows to initiate a connection to an arbitrary host using privileged NTLM credentials. In addition to AD CS, there may be services that can be used as a target for a relayed NTLM authentication request.
Also, CERT specialists released a detailed analysis of DFSCoerce.
Experts that were interviewed by BleepingComputer confirmed that DFSCoerce allows a low-level attacker to become a Windows domain administrator. According to experts, the best ways to protect against DFSCoerce are:
- Use of Extended Protection for Authentication (EPA);
- Use of SMB signature;
- Disable HTTP on AD CS servers;
- Disable NTLM on domain controllers.