DFSCoerce Detection: New NTLM Relay Attack Enabling Windows Domain Takeover

Brace yourself for a new PetitPotam-like NTLM relay attack enabling complete Windows domain takeover via Microsoft’s Distributed File System (MS-DFSNM) abuse. The new attack method, dubbed DFSCoerce, allows adversaries to coerce Windows servers into authentication with a relay under hackers’ control. Domain Controllers (DC) are also vulnerable, which poses a significant risk of the entire domain compromise. The proof-of-concept (PoC) script to showcase the DFSCoerce NTLM relay attack in action is publicly available via GitHub, therefore, in-the-wild abuse attempts are expected soon.

Detect DFSCoerce NTLM Relay Attack

To stay protected against new DFSCoerce NTLM relay attacks and timely identify the malicious activity associated with the related threats, SOC Prime’s team of content developers has recently released a dedicated Sigma rule available in the Detection as Code platform:

Possible DFSCoerce / MS-DFSNM NTLM Relay Attack (via audit)

This detection is applicable to 17 SIEM, EDR, and XDR language formats supported by the SOC Prime’s platform and is mapped to the MITRE ATT&CK® framework addressing Collection and Lateral Movement tactics with the Adversary-in-the-Middle (T1557) and Remote Services (T1021) as their corresponding primary techniques.

Cybersecurity practitioners can access this content item after signing up or logging into SOC Prime’s platform. In addition, SOC Prime users can instantly search for threats associated with the DFSCoerce adversary method via Quick Hunt module using the Sigma-based hunting query mentioned above. 

To constantly keep abreast of the ever-changing cyber threat landscape and timely identify the malicious presence in your environment, SOC Prime’s platform curates 190,000+ unique Detection-as-Code content items tailored to organization-specific needs. To explore even more SOC content related to the NTLM relay attack detection, click Detect & Hunt button and drill down to the entire list of Sigma rules addressing the notorious PetitPotam exploit. To instantly dive into the comprehensive cyber threat context accompanied with Sigma rules matching the selected search criteria, SOC Prime offers a powerful tool that enables browsing for any APT, exploit, or other relevant threats without registration. 

Detect & Hunt Explore Threat Context

DFSCoerse Analysis

To illustrate the critical risks posed by the new DFSCoerce NTLM relay attack, the security expert Filip Dragovic has released a proof-of-concept script that relays authentication attempts to the Windows servers through MS-DFSNM. The new attack method is, in fact, the derivative of the infamous PetitPotam that abuses Microsoft’s Encrypting File System Protocol (MS-EFSRPC) to initiate the authentication process within remote Windows instances and forces them to reveal the NTLM hashes to the adversary. As a result, the adversary obtains an authentication certificate applicable to access any domain services, including the DC. 

DFSCoerce relies on a similar routine but leverages MS-DFSNM instead of MS-EFSRPC to provide adversaries with the ability to operate the Windows Distributed File System via a Remote Procedure Call (RPC) interface. As a result, a threat actor obtaining limited access to a Windows domain can easily become the domain admin and run any command of their choice.

Security researchers suggest that users who may find themselves on the hit list for these attacks should opt for enabling Windows’ RPC Filters or using RPC Firewall. Other options include safeguarding authentication credentials by enabling Extended Protection for Authentication and signing features.

Sign up for free at SOC Prime’s Detection as Code platform for a safer future crafted with the security industry’s best practices and shared expertise. The platform enables security practitioners to streamline their SOC operations by participating in top-tier initiatives, adapting their routine to better protect from ever-emerging threats, and integrating their security tools for the utmost performance.