New DFSCoerce PoC Exploit Allows Attackers to Take Over Windows Domains

DFSCoerce PoC exploit

The recently published DFSCoerce PoC exploit uses the MS-DFSNM file system to take over Windows domains. This exploit is conceptually similar to the sensational PetitPotam attack.

Let me remind you that we recently talked about how LockFile ransomware adopts ProxyShell and PetitPotam vulnerabilities.

Print Manager is disabled, RPC filters are ready to prevent PetitPotam, Shadow Copy Service is disabled, but do you still want to use Active Directory Domain Services authentication for the domain controller? Don’t worry, MS-DFSNM has your back.Filip Dragovic, an information security specialist, tweeted.

Filip Dragovich published a PoC script called “DFSCoerce” to attack an NTLM relay.

The script uses the Microsoft Distributed File System protocol to relay authentication data to an arbitrary server, which can allow attackers to take control of the victim’s Windows domain.

The DFSCoerce discovery followed a similar attack called PetitPotam, which enabled attackers to take control of a Windows domain.

Let me remind you that we talked about the fact that Microsoft Has Not Fully Coped with PetitPotam Attacks in Windows NTLM Relay.

Although Microsoft refers to this entire chain of attacks as “PetitPotam”, it is important to understand that PetitPotam is simply one of the PoC exploits used to invoke an NTLM authentication request via an EfsRpcOpenFileRaw request. It should be noted that there may be other methods that can provoke Windows to initiate a connection to an arbitrary host using privileged NTLM credentials. In addition to AD CS, there may be services that can be used as a target for a relayed NTLM authentication request.

By passing an NTLM authentication request from a domain controller to the Certificate Authority Web Enrollment or Certificate Enrollment Web Service in Active Directory Certificate Services (AD CS), an attacker can obtain a certificate that is then used to obtain a Ticket Granting Ticket (TGT) from domain controller.the CERT Coordinating Center (CERT/CC) noted.

Also, CERT specialists released a detailed analysis of DFSCoerce.

Experts that were interviewed by BleepingComputer confirmed that DFSCoerce allows a low-level attacker to become a Windows domain administrator. According to experts, the best ways to protect against DFSCoerce are:

  1. Use of Extended Protection for Authentication (EPA);
  2. Use of SMB signature;
  3. Disable HTTP on AD CS servers;
  4. Disable NTLM on domain controllers.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

View all of Vladimir Krasnogolovy's posts.

Leave a comment

Your email address will not be published.