H3-2023-0018

Microsoft Windows Machine Account NTLM Coercion via Distributed File System Namespace Management Protocol Manipulation

Category	SECURITY_MISCONFIGURATION
Base Score	5.3

Description

Microsoft's Distributed File System Namespace Management protocol [MS-DFSNM] provides a Remote Procedure Call (RPC) interface for administering Distributed File System (DFS) configurations. An attacker controlling a domain user/computer can, with a specific Remote Procedure Call (RPC), manipulate one of the vulnerable methods to make it authenticate to a target of the attacker's choosing.

Impact

An attacker with unauthorized access to the network can use this vulnerability to coerce a Domain Controller to authenticate to another server using NTLM, allowing for hash capturing and NTLM relay to a vulnerable endpoint. Historically, this vulnerability has been paired with a vulnerable Active Domain Certificate Services web interface to acquire persistent credentials for the Domain Controller Machine account -- leading to a full domain compromise.

References

• [MS-DFSNM]: Distributed File System (DFS): Namespace Management Protocol
• MS-DFSNM Abuse (DFSCoerce)