Microsoft Windows Machine Account NTLM Coercion via Authenticated MS-DFSNM
2023-6-21 03:14:38 Author: www.horizon3.ai(查看原文) 阅读量:19 收藏

If Microsoft Distributed File System (DFS) Namespace Management Protocol (MS-DFSNM) is not required, administrators should block the remote MS-DFSNM functionality for non-Domain Admins on the vulnerable host using RPC filters.

    1. Create a text file with the following content:
      rpc
      filter
      add rule layer=um actiontype=permit
      add condition field=if_uuid matchtype=equal data=4FC742E0-4A10-11CF-8273-00AA004AE673
      add condition field=remote_user_token matchtype=equal data=D:(A;;CC;;;DA)
      add filter
      add rule layer=um actiontype=block
      add condition field=if_uuid matchtype=equal data=4FC742E0-4A10-11CF-8273-00AA004AE673
      add filter
      quit
    2. Use the netsh command line utility to import the RPC filter from an elevated administrator prompt:
      netsh -f <FILTER_FILE_NAME>
    3. To confirm the filters are in place, you can view the current RPC filters using the following command:
      netsh rpc filter show filter

See CERT Coordination Center Vulnerability Note VU:#405600 for additional details on protecting Active Directory Certificate Services from NTLM relay attacks.


文章来源: https://www.horizon3.ai/h3-2023-0014/
如有侵权请联系:admin#unsafe.sh