Concise Cyber

Subscribe below for free to get these delivered straight to your inbox

Advertisements
Authentication Coercion Evolves: New NTLM Relay Attack Vectors Discovered in Windows
Advertisements

New Attack Vectors Leverage Windows Protocols

Cybersecurity researchers from Unit 42 have identified four new variations of authentication coercion attacks in Windows. These attacks force a victim machine, including domain controllers, to authenticate to an attacker-controlled server. This coerced authentication is a critical step in facilitating NTLM relay attacks, which can ultimately lead to a complete domain takeover. The newly discovered methods exploit functionalities within the Distributed File System Namespace Management (DFSNM) and the Windows Encrypting File System (EFS) protocols, expanding the attack surface beyond previously known techniques like PetitPotam.

The research details two specific variations for each protocol. For DFSNM, attackers can use the NetrDfsAddStdRoot and NetrDfsAddFtRoot functions to trigger an authentication attempt from a domain controller. Similarly, within the EFS protocol, the EfsRpcOpenFileRaw and EfsRpcEncryptFileSrv functions can be abused to coerce authentication from a target server. These methods provide threat actors with additional tools to initiate complex attack chains within a Windows domain environment.

Impact and Official Mitigations

A successful authentication coercion attack allows an adversary to relay the captured NTLM credentials to another service, such as Active Directory Certificate Services (AD CS). By doing so, the attacker can impersonate the victim machine and gain elevated privileges, potentially compromising the entire domain. This highlights the significant risk posed by NTLM relay vulnerabilities.

In response to these types of threats, Microsoft has provided guidance for mitigation. The primary recommendations include disabling NTLM authentication where possible across the domain. For environments where NTLM cannot be fully disabled, enabling Extended Protection for Authentication (EPA) and enforcing SMB signing are advised as hardening measures. These configurations help protect against the relaying of credentials and secure communications between systems.