DFSCoerce NTLM Relay Attack | Threat SnapShot

preview_player
Показать описание
In this week's Threat SnapShot, we take a look at the DFSCoerce attack tool that was released a little over a week ago. Similar to PetitPotam that we covered previously, this falls into the category of NTLM relay attacks. As an attacker, if I can man-in-the-middle and intercept a DFS authentication request, I can relay that to Active Directory Certificate Services (AD CS) and use a Kerberos Ticket Granting Ticket (TGT) to gain full domain privileges. As always, we'll dive into the attack and discuss detection and prevention strategies.

DFSCoerce tool

Praetorian blog post with additional attack variation

Microsoft KB with recommended mitigations
  1. SnapAttack
Рекомендации по теме
[Fixed]DFSCoerce NTLM Relay 0:01:14

[Fixed]DFSCoerce NTLM Relay attack allows Windows domain takeover | MS-DFSNM NTLM Relay attack

DFSCoerce NTLM Relay 0:06:09

DFSCoerce NTLM Relay Attack | Threat SnapShot

Attack and Detection 0:22:28

Attack and Detection of DFSCoerce and NTLM relaying ADCS attacks.

NTLM relay to 0:38:26

NTLM relay to AD CS ESC8 Tutorial | Exploit Active Directory Certificate Services

NTLM Relay Attack 0:05:50

NTLM Relay Attack Allows Any Standard Active Directory User To Become Domain Admin.

ADCS NTLM Relay 0:01:59

ADCS NTLM Relay - Compromise the DC

Windows Domain - 0:09:24

Windows Domain - Attack & Defense: 02 NTLM Relay

Performing SMB Relay 0:09:53

Performing SMB Relay Attacks in Active Directory

PetitPotam NTLM Relay 0:06:29

PetitPotam NTLM Relay Attack | Threat SnapShot

Coercer NTLM Forced 0:02:58

Coercer NTLM Forced Authentication

NetNTLMv1 Downgrade Attack 0:01:41

NetNTLMv1 Downgrade Attack - Quick Domain Compromise

BlackAlps 2022: NTLM 0:37:27

BlackAlps 2022: NTLM Relay: The Attack That Keeps On Giving by Sylvain Heiniger

ToddyCat Tracked, NTLM 0:03:35

ToddyCat Tracked, NTLM Relay Attack, Beware Zombie Bugs, and more.

LLMNR Poisoning | 0:13:11

LLMNR Poisoning | NTLM Relay Attack | Windows Domain | Reverse Shell

SANS Workshop – 2:01:31

SANS Workshop – NTLM Relaying 101: How Internal Pentesters Compromise Domains

NTLMv1 to LDAP 0:02:09

NTLMv1 to LDAP Relay - Quick Domain Compromise

Six Minutes for 0:05:34

Six Minutes for MiTM6

Petitpotam Exploit POC 0:01:00

Petitpotam Exploit POC

Network Security News 0:05:44

Network Security News Summary for Tuesday June 21st, 2022

NTLM Relay via 0:01:13

NTLM Relay via SMB

PetitPotam - NTLM 0:03:22

PetitPotam - NTLM Relay to AD CS

PetitPotam | NTLM 0:16:59

PetitPotam | NTLM Relay Attacks | AD CS | Mimikatz | Rubeus | Domain Takeover

Hacking Domain Admin 0:08:01

Hacking Domain Admin 6 ways to Sunday | PetitPotam, DCSync & Golden Tickets

June 24th 2022 0:15:31

June 24th 2022 CTP Week In Review: DFSCoerce, Ransomware in OneDrive & PowerShell Forever