MS-DFSNM abuse (DFSCoerce)


MS-DFSNM is Microsoft's Distributed File System Namespace Management protocol. It provides an RPC interface for administering DFS configurations ( and is available as an RPC interface. That interface is available through the \pipe\netdfs SMB named pipe.

In mid-2022, Filip Dragovic demonstrated the possibility of abusing the protocol to coerce authentications. Similarly to other MS-RPC abuses, this works by using a specific method relying on remote address. In this case (as of July 6th, 2022), the following methods were detected vulnerable: NetrDfsRemoveStdRoot and NetrDfsAddStdRoot. It is worth noting this coercion method only works against domain controllers.


The following Python proof-of-concept ( implements the NetrDfsRemoveStdRoot and NetrDfsAddStdRoot methods. -d "domain" -u "user" -p "password" LISTENER TARGET


Last updated