Concise Cyber

Subscribe below for free to get these delivered straight to your inbox

Advertisements
Authentication Coercion Evolves: New NTLM Relay Attack Vectors Discovered in Windows
Advertisements

New Attack Vectors Leverage Windows Protocols

Cybersecurity researchers from Unit 42 have identified four new variations of authentication coercion attacks in Windows. These attacks force a victim machine, including domain controllers, to authenticate to an attacker-controlled server. This coerced authentication is a critical step in facilitating NTLM relay attacks, which can ultimately lead to a complete domain takeover. The newly discovered methods exploit functionalities within the Distributed File System Namespace Management (DFSNM) and the Windows Encrypting File System (EFS) protocols, expanding the attack surface beyond previously known techniques like PetitPotam.

The research details two specific variations for each protocol. For DFSNM, attackers can use the NetrDfsAddStdRoot and NetrDfsAddFtRoot functions to trigger an authentication attempt from a domain controller. Similarly, within the EFS protocol, the EfsRpcOpenFileRaw and EfsRpcEncryptFileSrv functions can be abused to coerce authentication from a target server. These methods provide threat actors with additional tools to initiate complex attack chains within a Windows domain environment.

Impact and Official Mitigations

A successful authentication coercion attack allows an adversary to relay the captured NTLM credentials to another service, such as Active Directory Certificate Services (AD CS). By doing so, the attacker can impersonate the victim machine and gain elevated privileges, potentially compromising the entire domain. This highlights the significant risk posed by NTLM relay vulnerabilities.

In response to these types of threats, Microsoft has provided guidance for mitigation. The primary recommendations include disabling NTLM authentication where possible across the domain. For environments where NTLM cannot be fully disabled, enabling Extended Protection for Authentication (EPA) and enforcing SMB signing are advised as hardening measures. These configurations help protect against the relaying of credentials and secure communications between systems.

All articles are written here with the help of AI on the basis of openly available information which cannot be independently verified. We do strive to quote the relevant sources.The intent is only to summarise what is already reported in public forum in our own wordswith no intention to plagarise or copy other person’s work.The publisher has no intent to defame or cause offence to anyone, any person or any organisation at any moment.The publisher assumes no responsibility for any damage or loss caused by making decisions on the basis of whatever is published on cyberconcise.com.You’re advised to do your own checks and balances before making any decision, and owners and publishers at cyberconcise.com cannot be held accountable for its resulting ramifications.If you have any objections, concerns or point out anything factually incorrect, please reach out using the form on https://concisecyber.com/about/

Discover more from Concise Cyber

Subscribe now to keep reading and get access to the full archive.

Continue reading