Skip to content


Authenticated Microsoft Windows Machine Account NTLM Coercion via Distributed File System Namespace Management Protocol Manipulation

Base Score 5.3


Microsoft's Distributed File System Namespace Management protocol [MS-DFSNM] provides a Remote Procedure Call (RPC) interface for administering Distributed File System (DFS) configurations. An attacker controlling a domain user/computer can, with a specific Remote Procedure Call (RPC), manipulate one of the vulnerable methods to make it authenticate to a target of the attacker's choosing.


An authenticated attacker with access to low privileged user credentials can use this vulnerability to coerce a Domain Controller to authenticate to another server using NTLM, allowing for hash capturing and NTLM relay to a vulnerable endpoint. Historically, this vulnerability has been paired with a vulnerable Active Domain Certificate Services web interface to acquire persistent credentials for the Domain Controller Machine account -- leading to a full domain compromise.