"Exploit Released for New Windows Server 'WinReg' NTLM Relay Attack"

Publicly available Proof-of-Concept (PoC) exploit code for a vulnerability in Microsoft's Remote Registry client can be used to take over a Windows domain by downgrading the security of the authentication process. The vulnerability stems from a fallback mechanism in the Windows Registry (WinReg) client implementation that relies on old transport protocols if the Server Message Block (SMB) transport is absent. If an attacker exploits the security flaw, they could relay NT (New Technology) LAN Manager (NTLM) authentication to Active Directory Certificate Services (ADCS) in order to obtain a user certificate for further domain authentication. This article continues to discuss the possible WinReg NTLM Relay attack

BleepingComputer reports "Exploit Released for New Windows Server 'WinReg' NTLM Relay attack"

 

Submitted by Gregory Rigby on