{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2022-044.pdf"
    },
    "title": "MS-DFSNM NTLM Relay Attack for Windows Domain Takeover",
    "serial_number": "2022-044",
    "publish_date": "21-06-2022 09:18:00",
    "description": "On the 18th of June 2022, a security researcher published a proof of concept for MS-DFSNM coerce authentication using \"NetrDfsRemoveStdRoot\" method. This type of attack allows Windows domain takeover. To coerce a remote server to authenticate against a malicious NTLM relay, threat actors could use various methods, including the MS-RPRN, MS-EFSRPC (PetitPotam), and MS-FSRVP protocols.",
    "url_title": "2022-044",
    "content_markdown": "---\ntitle: 'MS-DFSNM NTLM Relay Attack for\u00a0Windows Domain Takeover'\nversion: '1.0'\nnumber: '2022-044'\noriginal_date: 'June 18, 2022'\ndate: 'June 21, 2022'\n---\n\n_History:_\n\n* _21/06/2022 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn the 18th of June 2022, a security researcher published a proof of concept for MS-DFSNM coerce authentication using `NetrDfsRemoveStdRoot` method [1]. This type of attack allows Windows domain takeover. To coerce a remote server to authenticate against a malicious NTLM relay, threat actors could use various methods, including the MS-RPRN, MS-EFSRPC (PetitPotam), and MS-FSRVP protocols [2-7].\n\n# Technical Details\n\nA Windows NTLM relay attack has been discovered that uses MS-DFSNM, Microsoft's Distributed File System [8], which can take over a Windows domain.\n\nThis service is vulnerable to NTLM relay attacks, which is when threat actors force, or coerce, a domain controller to authenticate against a malicious NTLM relay under an attacker's control.\n\nThis malicious server would then relay, or forward, the authentication request to a domain's Active Directory Certificate Services via HTTP and ultimately be granted a Kerberos ticket-granting ticket (TGT). This ticket allows the threat actors to assume the identity of any device on the network, including a domain controller.\n\nOnce they have impersonated a domain controller, they will have elevated privileges allowing the attacker to take over the domain and run any command. [2]\n\n# Recommendations\n\nThere are several mitigations against the aforementioned attack which are in general best practice and listed below [2].\n\n- Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS) [9].\n- Extended Protection for Authentication Overview [10] combined with signing featues, such as SMB signing, to protect Windows credentials [11].\n- Use of Windows' built-in RPC Filters [12] or RPC Firewall [13] to prevent servers from being coerced via the MS-DFSNM protocol.\n\n# References\n\n[1] <https://github.com/Wh04m1001/DFSCoerce>\n\n[2] <https://www.bleepingcomputer.com/news/microsoft/new-dfscoerce-ntlm-relay-attack-allows-windows-domain-takeover/>\n\n[3] <http://www.thehacker.recipes/active-directory-domain-services/movement/mitm-and-coerced-authentications/ms-rprn>\n\n[4] <https://www.bleepingcomputer.com/news/microsoft/new-petitpotam-attack-allows-take-over-of-windows-domains/>\n\n[5] <https://github.com/ShutdownRepo/ShadowCoerce>\n\n[6] <https://github.com/leechristensen/SpoolSample>\n\n[7] <https://github.com/topotam/PetitPotam>\n\n[8] <https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dfsnm/95a506a8-cae6-4c42-b19d-9c1ed1223979>\n\n[9] <https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429>\n\n[10] <https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/extended-protection-for-authentication-overview>\n\n[11] <https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/overview-server-message-block-signing>\n\n[12] <https://www.akamai.com/blog/security/guide-rpc-filter#why>\n\n[13] <https://zeronetworks.com/blog/the-ransomware-kill-switch-becomes-even-more-deadly-the-rpc-firewall-2-0-released/>\n\n\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>21/06/2022 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On the 18th of June 2022, a security researcher published a proof of concept for MS-DFSNM coerce authentication using <code>NetrDfsRemoveStdRoot</code> method [1]. This type of attack allows Windows domain takeover. To coerce a remote server to authenticate against a malicious NTLM relay, threat actors could use various methods, including the MS-RPRN, MS-EFSRPC (PetitPotam), and MS-FSRVP protocols [2-7].</p><h2 id=\"technical-details\">Technical Details</h2><p>A Windows NTLM relay attack has been discovered that uses MS-DFSNM, Microsoft's Distributed File System [8], which can take over a Windows domain.</p><p>This service is vulnerable to NTLM relay attacks, which is when threat actors force, or coerce, a domain controller to authenticate against a malicious NTLM relay under an attacker's control.</p><p>This malicious server would then relay, or forward, the authentication request to a domain's Active Directory Certificate Services via HTTP and ultimately be granted a Kerberos ticket-granting ticket (TGT). This ticket allows the threat actors to assume the identity of any device on the network, including a domain controller.</p><p>Once they have impersonated a domain controller, they will have elevated privileges allowing the attacker to take over the domain and run any command. [2]</p><h2 id=\"recommendations\">Recommendations</h2><p>There are several mitigations against the aforementioned attack which are in general best practice and listed below [2].</p><ul><li>Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS) [9].</li><li>Extended Protection for Authentication Overview [10] combined with signing featues, such as SMB signing, to protect Windows credentials [11].</li><li>Use of Windows' built-in RPC Filters [12] or RPC Firewall [13] to prevent servers from being coerced via the MS-DFSNM protocol.</li></ul><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://github.com/Wh04m1001/DFSCoerce\">https://github.com/Wh04m1001/DFSCoerce</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.bleepingcomputer.com/news/microsoft/new-dfscoerce-ntlm-relay-attack-allows-windows-domain-takeover/\">https://www.bleepingcomputer.com/news/microsoft/new-dfscoerce-ntlm-relay-attack-allows-windows-domain-takeover/</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"http://www.thehacker.recipes/active-directory-domain-services/movement/mitm-and-coerced-authentications/ms-rprn\">http://www.thehacker.recipes/active-directory-domain-services/movement/mitm-and-coerced-authentications/ms-rprn</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.bleepingcomputer.com/news/microsoft/new-petitpotam-attack-allows-take-over-of-windows-domains/\">https://www.bleepingcomputer.com/news/microsoft/new-petitpotam-attack-allows-take-over-of-windows-domains/</a></p><p>[5] <a rel=\"noopener\" target=\"_blank\" href=\"https://github.com/ShutdownRepo/ShadowCoerce\">https://github.com/ShutdownRepo/ShadowCoerce</a></p><p>[6] <a rel=\"noopener\" target=\"_blank\" href=\"https://github.com/leechristensen/SpoolSample\">https://github.com/leechristensen/SpoolSample</a></p><p>[7] <a rel=\"noopener\" target=\"_blank\" href=\"https://github.com/topotam/PetitPotam\">https://github.com/topotam/PetitPotam</a></p><p>[8] <a rel=\"noopener\" target=\"_blank\" href=\"https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dfsnm/95a506a8-cae6-4c42-b19d-9c1ed1223979\">https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dfsnm/95a506a8-cae6-4c42-b19d-9c1ed1223979</a></p><p>[9] <a rel=\"noopener\" target=\"_blank\" href=\"https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429\">https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429</a></p><p>[10] <a rel=\"noopener\" target=\"_blank\" href=\"https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/extended-protection-for-authentication-overview\">https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/extended-protection-for-authentication-overview</a></p><p>[11] <a rel=\"noopener\" target=\"_blank\" href=\"https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/overview-server-message-block-signing\">https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/overview-server-message-block-signing</a></p><p>[12] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.akamai.com/blog/security/guide-rpc-filter#why\">https://www.akamai.com/blog/security/guide-rpc-filter#why</a></p><p>[13] <a rel=\"noopener\" target=\"_blank\" href=\"https://zeronetworks.com/blog/the-ransomware-kill-switch-becomes-even-more-deadly-the-rpc-firewall-2-0-released/\">https://zeronetworks.com/blog/the-ransomware-kill-switch-becomes-even-more-deadly-the-rpc-firewall-2-0-released/</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}