Almost a year has passed since the “PetitPotam” attack vector was initially discovered. Shortly after, Microsoft Defender for Identity provided detection capabilities for this vulnerability. Earlier this month, a new attack vector that was inspired by PetitPotam was published by Filip Dragovic. The attack, which was later dubbed “DFSCoerce” can exploit the DFS-NM protocol to coerce the Domain Controller to authenticate against any server to create NTLM Relay attack. This has the potential to allow a non-privileged user in the domain to become a domain admin.
What is the Distributed File System?
First, let’s explain what DFS is and what it is used for. DFS stands for Distributed File System. This function provides the ability to logically group shares on multiple servers and to transparently link shares into a single hierarchical namespace. DFS organizes shared resources on a network in a tree-like structure.
This provides virtualized access and management to a networked file system, allowing tasks varying in complexity – like better organization of company files, all the way to more complex benefits like disaster recovery for the file shares.
One of the DFS protocols is the namespace management protocol (MS-DFSNM). This provides a remote procedure call (RPC) interface for administering DFS configurations.
The GitHub proof-of-concept for the new NTLM relay attack called ‘DFSCoerce’ is based on the previously released POC, PetitPotam. This time instead of using the EFRPC protocol, it uses the MS-DFSNM protocol to relay authentication against any remote server. The attack basically points the domain controller to a remote share on a server which is owned by the attack.
One of Defender for Identity’s main goals is to detect any kind of malicious activity against domain controllers. Whenever an attacker is trying to exploit DFS against the DC, a high severity alert will be triggered with information about the target DC and the remote device the DC was forced to authenticate to.
How to protect your organization further
Microsoft has published an advisory on how to prevent NTLM relay attacks. The Microsoft advisory, first introduced during PetitPotam, will also prevent DFSCoerce and other NTLM attack methods.
The recommendation is to disable the deprecated NTLM authentication where possible and to prevent NTLM relay attacks on networks with NTLM has to be enabled. Domain administrators must ensure that services permitting NTLM authentication utilize protections such as Extended Protection for Authentication (EPA), or signing features, like SMB signing.
We're always adding new capabilities to Defender for Identity, and we'll make announcements about great new features here in this blog, so check back regularly to see what the latest updates bring to your security teams.