Blog Post

Security, Compliance, and Identity Blog
3 MIN READ

How Microsoft Defender for Identity protects against DFSCoerce

Daniel Naim's avatar
Daniel Naim
Icon for Microsoft rankMicrosoft
Jul 01, 2022

Almost a year has passed since the “PetitPotam” attack vector was initially discovered. Shortly after, Microsoft Defender for Identity provided detection capabilities for this vulnerability. Earlier this month, a new attack vector that was inspired by PetitPotam was published by Filip Dragovic. The attack, which was later dubbed “DFSCoerce” can exploit the DFS-NM protocol to coerce the Domain Controller to authenticate against any server to create NTLM Relay attack. This has the potential to allow a non-privileged user in the domain to become a domain admin.

 

 

 

What is the Distributed File System?

 

First, let’s explain what DFS is and what it is used for. DFS stands for Distributed File System. This function provides the ability to logically group shares on multiple servers and to transparently link shares into a single hierarchical namespace. DFS organizes shared resources on a network in a tree-like structure.

 

This provides virtualized access and management to a networked file system, allowing tasks varying in complexity – like better organization of company files, all the way to more complex benefits like disaster recovery for the file shares.

One of the DFS protocols is the namespace management protocol (MS-DFSNM). This provides a remote procedure call (RPC) interface for administering DFS configurations.

 

DFSCoerce

 

The GitHub proof-of-concept for the new NTLM relay attack called ‘DFSCoerce’ is based on the previously released POC, PetitPotam. This time instead of using the EFRPC protocol, it uses the MS-DFSNM protocol to relay authentication against any remote server. The attack basically points the domain controller to a remote share on a server which is owned by the attack.  

 

One of Defender for Identity’s main goals is to detect any kind of malicious activity against domain controllers. Whenever an attacker is trying to exploit DFS against the DC, a high severity alert will be triggered with information about the target DC and the remote device the DC was forced to authenticate to.

 

 

How to protect your organization further

 

Microsoft has published an advisory on how to prevent NTLM relay attacks. The Microsoft advisory, first introduced during PetitPotam, will also prevent DFSCoerce and other NTLM attack methods.

 

The recommendation is to disable the deprecated NTLM authentication where possible and to prevent NTLM relay attacks on networks with NTLM has to be enabled. Domain administrators must ensure that services permitting NTLM authentication utilize protections such as Extended Protection for Authentication (EPA), or signing features, like SMB signing.

 

What next?

 

We're always adding new capabilities to Defender for Identity, and we'll make announcements about great new features here in this blog, so check back regularly to see what the latest updates bring to your security teams. 

 

  1. Learn more about Microsoft Defender for Identity, and begin a trial for Microsoft Defender for Identity here.
  2. Check out our previous response to recent threats
  3. Learn about Microsoft Defender for Identity's new feature - Response Actions.

 

We're always keen on hearing your feedback, so please let us know in the comments section below if you have anything to share with us about this detection. 

 

 

 

Updated Jul 04, 2022
Version 2.0
No CommentsBe the first to comment