Security Advisory 2022-044

Release Date:

MS-DFSNM NTLM Relay Attack for Windows Domain Takeover



  • 21/06/2022 --- v1.0 -- Initial publication


On the 18th of June 2022, a security researcher published a proof of concept for MS-DFSNM coerce authentication using NetrDfsRemoveStdRoot method [1]. This type of attack allows Windows domain takeover. To coerce a remote server to authenticate against a malicious NTLM relay, threat actors could use various methods, including the MS-RPRN, MS-EFSRPC (PetitPotam), and MS-FSRVP protocols [2-7].

Technical Details

A Windows NTLM relay attack has been discovered that uses MS-DFSNM, Microsoft's Distributed File System [8], which can take over a Windows domain.

This service is vulnerable to NTLM relay attacks, which is when threat actors force, or coerce, a domain controller to authenticate against a malicious NTLM relay under an attacker's control.

This malicious server would then relay, or forward, the authentication request to a domain's Active Directory Certificate Services via HTTP and ultimately be granted a Kerberos ticket-granting ticket (TGT). This ticket allows the threat actors to assume the identity of any device on the network, including a domain controller.

Once they have impersonated a domain controller, they will have elevated privileges allowing the attacker to take over the domain and run any command. [2]


There are several mitigations against the aforementioned attack which are in general best practice and listed below [2].

  • Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS) [9].
  • Extended Protection for Authentication Overview [10] combined with signing featues, such as SMB signing, to protect Windows credentials [11].
  • Use of Windows' built-in RPC Filters [12] or RPC Firewall [13] to prevent servers from being coerced via the MS-DFSNM protocol.















We got cookies

We only use cookies that are necessary for the technical functioning of our website. Find out more on here.