MS-DFSNM NTLM Relay Attack for Windows Domain Takeover
Show in Graph
Image Description
Common Information
Type Value
UUID dfef9238-b697-4bfe-b1e2-84742f4da0e8
Fingerprint 4e1f78615856f180a7207a01615ec51f19215b6c420e7b5c7cbbe5f5eec860f7
Analysis status DONE
Considered CTI value 0
Text language
Published June 21, 2022, 11:19 a.m.
Added to db March 10, 2024, 11:19 a.m.
Last updated Aug. 31, 2024, 3:51 a.m.
Headline MS-DFSNM NTLM Relay Attack for Windows Domain Takeover
Title MS-DFSNM NTLM Relay Attack for Windows Domain Takeover
Detected Hints/Tags/Attributes 18/1/25
Source URLs
Redirection Url
Details Source https://media.cert.europa.eu/static/SecurityAdvisories/2022/CERT-EU-SA2022-044.pdf
URL Provider
Details Provider Source level domain
Details europa.eu media.cert.europa.eu
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 161 https://media.cert.europa.eu/cert/Data/newsletter/reviewlatest-SecurityBulletins.xml 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 4127 
github.com
Details Domain 251 
www.bleepingcomputer.com
Details Domain 6 
www.thehacker.recipes
Details Domain 281 
docs.microsoft.com
Details Domain 128 
support.microsoft.com
Details Domain 35 
www.akamai.com
Details Domain 2 
zeronetworks.com
Details Github username 2 
wh04m1001
Details Github username 1 
shutdownrepo
Details Github username 3 
leechristensen
Details Github username 4 
topotam
Details Microsoft Patch Numbers 6 
KB5005413
Details Url 1 
https://github.com/wh04m1001/dfscoerce
Details Url 1 
https://www.bleepingcomputer.com/news/microsoft/new-dfscoerce-ntlm-relay-attack-allows-
Details Url 1 
http://www.thehacker.recipes/active-directory-domain-services/movement/mitm-and-coerced-
Details Url 1 
https://www.bleepingcomputer.com/news/microsoft/new-petitpotam-attack-allows-take-over-of-
Details Url 1 
https://github.com/shutdownrepo/shadowcoerce
Details Url 3 
https://github.com/leechristensen/spoolsample
Details Url 4 
https://github.com/topotam/petitpotam
Details Url 1 
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dfsnm/95a506a8-cae6-4c42-
Details Url 1 
https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-
Details Url 1 
https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/extended-protection-
Details Url 1 
https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/overview-server-
Details Url 1 
https://www.akamai.com/blog/security/guide-rpc-filter#why
Details Url 1 
https://zeronetworks.com/blog/the-ransomware-kill-switch-becomes-even-more-deadly-the-rpc-