From thehackernews.com
![](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEi5X3Jd7s-HDrRGAzXR0jO-9AxkHIJFvY_mh-vEM8Fmbb9VoDKrFuAaBPNb4PZX9dpszwI5DOLlHanXHCtRH_i9wttW66M81LeTHOwaRoQbidQ8jbjiRaxon2rP5R4FEVCxE24ddrC7Xch5hBgtaTkoRQjJ9Ag2eIaavmYF0C0ilRVh-Nm3JbbBxfYa/s728-e100/cyber.jpg)
A new kind of Windows NTLM relay attack dubbed DFSCoerce has been uncovered that leverages the Distributed File System (DFS): Namespace Management Protocol (MS-DFSNM) to seize control of a domain.
“Spooler service disabled, RPC filters installed to prevent PetitPotam and File Server VSS Agent Service not installed but you still want to relay [Domain Controller authentication to [Active Directory Certificate Services]? Don’t worry MS-DFSNM have (sic) your back,” security researcher Filip Dragovic said in a tweet.
MS-DFSNM provides a remote procedure call (RPC) interface for administering distributed file system configurations.