"New DFSCoerce NTLM Relay Attack Enables Hackers to Perform Windows Domain Takeover"
Security researcher Filip Dragovic published a new DFSCoerce Windows NTLM relay attack that uses MS-DFSNM (Microsoft’s Distributed File System) to take over Windows domains. Dragovic posted on a GitHub page detailing his findings. Microsoft Active Directory Certificate Services (ADCS) is a public key infrastructure (PKI) service typically used to authenticate users, services, and devices on a given Windows domain. The flaw discovered by Dragovic makes it possible to deploy NTLM relay attacks to force a domain controller to authenticate against a malicious NTLM relay under an attacker’s control. Dragovic noted that the malicious server would subsequently relay the authentication request to a domain’s ADCS via HTTP and obtain a Kerberos ticket-granting ticket (TGT), allowing them to impersonate any device on the network. If the cybercriminal assumed the identity of a domain controller, which usually has elevated privileges, they could execute arbitrary commands. The researchers noted that possible mitigation strategies include enabling protections like Extended Protection for Authentication (EPA), SMB signing, and turning off HTTP on ADCS servers.