On 20 June 2022 we saw the release of a new NTLM Relay attack “DFSCoerce” which is of similar ilk to the petit potam attack (CVE-2021-36942) and MS-FSRVP abuse (Shadow Coerce). However, in an environment where mitigations have been deployed to prevent these techniques, DFS Coerce can be utilised to relay DC Authentication to ADCS.

This attack exploits a vulnerability within [MS-DFSNM]: Distributed File System (DFS): Namespace Management Protocol to elicit an authentication over the network which can be captured or relayed in tools such as responder or ntlmrelayx to Active Directory Certificate Services (ADCS) server to compromise windows domains.

At Reliance acsn we comprehensively road test all new tools and techniques we see within our dedicated sandboxed lab environment to prevent exposure of malicious or infected tools entering our clients’ network. This helps us ensure we know the desired outcomes of each new technique and can train our consultants on the latest threats within the industry.