How To Mitigate DFSCoerce, A PetitPotam Like NTLM Relay Attack On Domain Controllers

A security researcher Filip Dragovic has shared about a new NTLM relay attack on Domain Controllers. The attack was dubbed DFSCoerce, which makes use of the MS-DFSNM (Distributed File System Namespace Management) Protocol to relay DC authentication to ADCS (Active Directory Certificate Services). Ignorance of this Dragovic attack could allow attackers to obtain a certificate that can be used to obtain a Ticket Granting Ticket (TGT) from the domain controller. Considering its impact, we would say that it is highly important to fix or mitigate DFSCoerce. If you skipped to applying the mitigations for PetitPotam, an NTLM relay attack was discovered in 2021. apply the required changes as soon as you can. However, we have created this post to help people in learning how to mitigate DFSCoerce, a PetitPotam like NTLM relay attack on Domain Controllers.

Before we directly jump into the actual matter, it is better to clear a few concepts. Let’s begin this post with small information about the NTLM relay attack, the significance of MS-DFSNM, and finally, how to mitigate DFSCoerce, a PetitPotam like NTLM relay attack on Domain Controllers.

What Is NTLM Relay Attack?

The NTLM Relay Attack is a type of attack that allows an attacker to gain access to a network by relaying NTLM authentication requests. This attack can be used to compromise any account on the network, including administrator accounts.

In these attacks, an attacker who can get the NTLM authentication credentials of a user while they’re being transmitted between a client and a server can reflect or forward them to another server on which the user has an account. This would allow the intruder to access these resources as if he were the client.

MS-DFSNM (Distributed File System Namespace Management) Protocol:

MS-DFSNM is the protocol specification that defines how the Distributed File System Namespace (DFSN) is managed. DFSN is a Microsoft Windows feature that allows for the creation of a virtual file system, which can be used to provide high availability and load balancing for file shares in a networked environment. MS-DFSNM defines the methods and objects used by clients and servers to manage the namespace, as well as the format of the namespace metadata. MS-DFSNM also defines how namespace changes are propagated between servers, and how clients are redirected to the appropriate server when accessing files in the namespace.

In this context, it provides an RPC interface for administering DFS configurations. The client is an application that issues method calls on the RPC interface to administer DFS. The server is a DFS service that implements support for this RPC interface for administering DFS.

Summary Of DFSCoerce:

DFSCoerce is a newly discovered NTLM relay attack that could allow adversaries to relay DC authentication to ADCS using MS-DFSNM protocol. The flaw has no identifier assigned, and no CVSS score has been calculated yet.

A security researcher Filip Dragovic wrote “Spooler service disabled, RPC filters installed to prevent PetitPotam and File Server VSS Agent Service not installed but you still want to relay DC authentication to ADCS?

Don’t worry MS-DFSNM have your back ;)” in his tweet and shared the proof-of-concept for DFSCoerce .

In support of this, Will Dormann confirmed on Twitter that the PoC shared Filip Dragovic is working.

How To Mitigate DFSCoerce, A  PetitPotam Like NTLM Relay Attack On Domain Controllers?

Since DFSCoerce is also an NTLM relay attack like PetitPotam, we could say that you are vulnerable to the flaw if you use any of these ADCS services in your environment.

So we recommend implementing all the mitigations suggested for mitigating the PetitPotam attack.

Apply the Patches Released for CVE-2021-36942

“This update blocks the unauthenticated EfsRpcOpenFileRaw API call that is exposed through the LSARPC interface. Note that the EFSRPC interface for accessing EfsRpcOpenFileRaw is still reachable to authenticated users after installing this update. In addition, other EFSRPC functions that require authentication to exploit are still exposed to users via LSARPC after this update is installed. This required authentication may take place silently via SSO on domain-joined systems. Please see KB5005413 for several additional workarounds that can help mitigate other techniques for relaying NTLM credentials using an AD CS server.”