Horizon3.ai Docs

Microsoft Windows Machine Account NTLM Coercion via Authenticated LSARPC Spoofing

Horizon3.ai Docs

Home
Quickstart
Quickstart
- Setup NodeZero Host
  Setup NodeZero Host
- Run an Internal Pentest
  Run an Internal Pentest
Portal
Portal
- Test Types
  Test Types
  - Internal Pentest
    
    Internal Pentest
  - External Pentest
    
    External Pentest
    
    Create an Asset Group
    
    Run Asset Discovery
    
    Authorize Assets
    
    Run External Pentest
  - AWS Pentest
    
    AWS Pentest
  - Azure Entra ID
    
    Azure Entra ID
  - Kubernetes Pentest
    
    Kubernetes Pentest
    
    Operator ClusterRole CRD
    
    Pentest & Runner ClusterRole CRD
  - AD Password Audit
    
    AD Password Audit
  - Segmentation Test
    
    Segmentation Test
  - Phishing Test
    
    Phishing Test
    
    The NodeZero Phishing Script
  - Insider Threat Test
    
    Insider Threat Test
  - Rapid Response
    
    Rapid Response
    
    Alerts
    
    Alerts
    
    Rapid Response Activity Cards
    
    Rapid Response Activity Cards
    
    Targeted Tests
    
    Targeted Tests
  - 1-Click Verify
    
    1-Click Verify
- Portal Settings
  Portal Settings
  - Set a Proxy
    
    Set a Proxy
  - Email Notifications
    
    Email Notifications
  - Pentest Templates
    
    Pentest Templates
  - User Management
    
    User Management
  - Client Management
    
    Client Management
  - Single Sign-On (SSO)
    
    Single Sign-On (SSO)
  - IDentity Provider (IdP) Guides
    
    IDentity Provider (IdP) Guides
    
    Azure
    
    Okta
- Features
  Features
  - Attack Configuration
    
    Attack Configuration
    
    Remote Access Tool
  - BloodHound
    
    BloodHound
  - Injecting Credentials
    
    Injecting Credentials
    
    Injecting an AWS Role
    
    Injecting an Azure MFA Credential
  - Schedules
    
    Schedules
  - Co-Branding
    
    Co-Branding
Tripwires
Tripwires
- Getting Started
- Management
- Alerts
- Settings
  Settings
Insights
Insights
CLI
CLI
- Getting Started
- Guides
  Guides
API
API
- API Reference
  API Reference
Release Notes
Release Notes
- 2024.11
- 2024.10
- 2024.09
- 2024.08
- 2024.07
- 2024.06
- 2024.05
- 2024.04
- 2024.03
- 2024.02
- 2024.01
Downloads
Downloads
- NodeZero Host VM (OVA/VHD)
  NodeZero Host VM (OVA/VHD)
  - N0 utility
- Host Check Script
- Splunk App
- Ubuntu Setup Script
Knowledge Base
Knowledge Base
- NodeZero Modules
  NodeZero Modules
  - Cyanide
    
    Cyanide
- Glossary
  Glossary
- Sensitive Data
  Sensitive Data
- Weaknesses
  Weaknesses
- Exposure Score

Microsoft Windows Machine Account NTLM Coercion via Authenticated LSARPC Spoofing

Block remote EFSRPC functionality with RPC Filters

If Microsoft Encrypted File System Remote Protocol (MS-EFSRPC) is not required, administrators should block the remote EFSRPC functionality on the vulnerable host using RPC filters.

Create a text file with the following content:

rpc
filter
add rule layer=um actiontype=block
add condition field=if_uuid matchtype=equal data=c681d488-d850-11d0-8c52-00c04fd90f7e
add filteradd rule layer=um actiontype=block
add condition field=if_uuid matchtype=equal data=df1941c5-fe89-4e79-bf10-463657acf44d
add filterquit

Use the netsh command line utility to import the RPC filter from an elevated administrator prompt: netsh -f <FILTER_FILE_NAME>
To confirm the filters are in place, you can view the current RPC filters using the following command: netsh rpc filter show filter

See CERT Coordination Center Vulnerability Note:#405600 for additional details.