H3-2023-0013
Authenticated Microsoft Windows Machine Account NTLM Coercion via File Server Remote VSS Protocol Manipulation
| Category | SECURITY_MISCONFIGURATION |
| Base Score | 5.3 |
Description
Microsoft's File Server Remote VSS Protocol [MS-FSRVP] is used for creating shadow copies of file shares on a remote computer, and for facilitating backup applications in performing application-consistent backup and restore of data on SMB2 shares. An attacker controlling a domain user/computer can, manipulate one of the vulnerable methods to make it authenticate to a target of the attacker's choosing.
Impact
An authenticated attacker with access to low privileged user credentials can use this vulnerability to coerce a Domain Controller to authenticate to another server using NTLM, allowing for hash capturing and NTLM relay to a vulnerable endpoint. Historically, this vulnerability has been paired with a vulnerable Active Domain Certificate Services web interface to acquire persistent credentials for the Domain Controller Machine account -- leading to a full domain compromise.