RemoteMonologue: New Windows Technique Weaponizes DCOM for NTLM Credential Harvesting

RemoteMonologue is a Windows credential harvesting technique that enables remote user compromise by leveraging the Interactive User RunAs key and coercing NTLM authentications via DCOM.

Features

🔹 Authentication Coercion via DCOM (-dcom)

• Targets three DCOM objects (ServerDataCollectorSet, FileSystemImage, UpdateSession) to trigger an NTLM authentication against a specified listener (-auth-to).

🔹 Credential Spraying (-spray)

• Validate credentials across multiple systems while also capturing user credentials.

🔹 NetNTLMv1 Downgrade Attack (-downgrade)

• Force targets to use NTLMv1, making credential cracking and relaying easier.

🔹 WebClient Service Abuse (-webclient)

• Enables the WebClient service to facilitate HTTP-based authentication coercion.

🔹 User Enumeration (-query)

• Identify users with an active session on the target system.

Note: Local administrator privileges to the target system is required.

Defensive Considerations

To protect against and detect these techniques, there are several preventative and detection measures that can be implemented.

Preventative measures:

1. Enable LDAP Signing and Channel Binding: Configure LDAP signing enforcement and channel binding on domain controllers to protect the LDAP endpoint from relay attacks. Note: These settings will be enforced by default starting with Windows Server 2025.

2. Upgrade to the Latest Windows Versions: Upgrade servers to Windows Server 2025 and workstations to Windows 11 version 24H2 to mitigate NetNTLM downgrade attacks, as NTLMv1 has been removed in these versions.

3. Enforce SMB Signing: Enable and enforce SMB signing on Windows servers to prevent SMB relay attacks.

4. Implement Strong Password Policies: Enforce strong password requirements to make password cracking attacks more challenging.

Detection opportunities:

1. Monitor Remote Access to DCOM Objects: Track access to the affected DCOM objects and their specific Properties and Methods to identify unusual activity.

2. Monitor Registry Modifications: Monitor changes to the RunAs and LmCompatibilityLevel registry keys.

3. Track WebClient Service Activity: Monitor for instances where the WebClient service is enabled remotely, as this is used to facilitate HTTP-based NTLM authentications.

Read X-Force Red’s RemoteMonologue: Weaponizing DCOM for NTLM Authentication Coercions for detailed information.

Download