News

Microsoft Highlights Protections Against NTLM Relay Attack Variant DFSCoerce

• By Kurt Mackie
• 07/01/2022

Microsoft on Friday noted that a new "PetitPotam" NT LAN Manager (NTLM) relay attack variant called "DFSCoerce" is addressed if organizations followed its earlier advice in Knowledge Base article KB5005413.

DFSCoerce was disclosed in a June 18 Twitter post by Filip Dragovic. Its effectiveness was confirmed by Will Dormann, a vulnerability analyst at the U.S. Computer Emergency Readiness Team (CERT/CC), in a June 20 Twitter post:

Yep, this works. Just like the attack chain starting with PetitPotam works. You all already knew that if you didn't already apply the PetitPotam mitigations from last August the entire attack chain still works today as it was originally described, right? https://kb.cert.org/vuls/id/405600.

PetitPotam is the name of a proof-of-concept attack method that was described last August, affecting organizations with Windows domain controllers. It leverages the Encrypting File System Remote (EFSRPC) Protocol to spoof the Windows Local Security Authority. The vulnerability was said back then by Microsoft to just apply to Window Server products where "Active Directory Certificate Services (AD CS) is not configured with protections for NTLM relay attacks."

In essence, a PetitPotam exploit allows an attacker to compel a domain controller to authenticate to an NTLM relay server that is controlled by the attacker, allowing network traffic interception, as well as the ability to impersonate clients.

Microsoft's announcement explained that DFSCoerce is using a different protocol than the EFSRPC Protocol for NTLM relay attacks:

This time instead of using the EFRPC protocol, it uses the MS-DFSNM protocol to relay authentication against any remote server. The attack basically points the domain controller to a remote share on a server which is owned by the attack.

The Distributed File System Namespace Management (DFSNM) protocol "provides an RPC [remote procedure call] interface for administering DFS configurations," according to this Microsoft document description.

Organizations that followed earlier advice in Knowledge Base article KB5005413 are protected, Microsoft indicated.

"Microsoft has published an advisory on how to prevent NTLM relay attacks," the announcement stated. "The Microsoft advisory, first introduced during PetitPotam, will also prevent DFSCoerce and other NTLM attack methods."

The announcement also didn't shirk from touting Microsoft Defender for Identity service, too. Microsoft Defender for Identity will send a high severity alert "whenever an attacker is trying to exploit DFS against the DC [domain controller]."

Something like the DFSCoerce attack method was anticipated by security researchers back in August. Dormann had warned back then that other Local Security Authority spoofs besides PetitPotam could be devised.

PetitPotam is only fixed for the one function that was originally in the first PetitPotam PoC [proof of concept]. Turns out there are several other unauthenticated LSARPC [Local Security Authority Remote Procedure Call] functions that coerce a machine authentication to an arbitrary host w/ NTLM.

He had described the PetitPotam vulnerability back than as "one tiny piece of the big picture."