H3-2022-0073

Microsoft Windows Machine Account NTLM Coercion via Authenticated LSARPC Spoofing

Category	SECURITY_MISCONFIGURATION
Base Score	5.3

Description

The Microsoft Encrypted File System Remote Protocol (MS-EFSRPC) performs maintenance and management operations on encrypted data that is stored remotely and accessed over a network. When a system handles certain EFSRPC requests, it uses NTLM authentication by default to connection to a file specified in the request. The resulting NTLM authentication information contains the machine account of the system. The EfsRpcEncryptFileSrv method can be invoked by an authenticated domain user, allowing an attacker to coerce a target system. This has been designated a "no fix" issue by Microsoft.

Impact

An attacker with access to low privileged user credentials can use this vulnerability to coerce a Domain Controller to authenticate to another server using NTLM, allowing for hash capturing and NTLM relay to a vulnerable endpoint. Historically, this vulnerability has been paired with a vulnerable Active Domain Certificate Services web interface to acquire persistent credentials for the Domain Controller Machine account -- leading to a full domain compromise.

References

• CERT Coordination Center Vulnerability Note VU:#405600 -- Microsoft Windows Active Directory Certificate Services can allow for AD compromise via PetitPotam NTLM relay attacks
• [MS-EFSR]: Encrypting File System Remote (EFSRPC) Protocol