Security researcher Gilles Lionel recently shared technical details and a Proof-of-Concept (PoC) of an attack implementation that abuses a flaw in the Microsoft Encrypting File System Remote Protocol (MS-EFSRPC) to coerce Windows hosts to authenticate to other machines in an Active Directory domain. This attack allows threat actors to take over a domain controller or other Windows Servers. The attack uses the Microsoft Encrypting File System Remote Protocol (EFSRPC) to force a device, including domain controllers, to authenticate to a remote NTLM relay controlled by a threat actor. Once the device authenticates, the threat actor can use it to steal hash and certificates that let them assume the identity of the device and its privileges. Microsoft has referenced previously-published advice to system administrators to disable NTLM or enable SMB signing in their organizations to prevent NTLM relays and make this attack method ineffective.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in