Active Directory Members Only

MS-RPC Coercion Attacks

Coercion attacks force a Windows machine to authenticate to a server you control using NTLM — then relay that authentication. The DC machine account authenticating to your relay gives you NTLM hash to relay, a TGT for DCSync, or an ADCS certificate for persistent access. PetitPotam, PrinterBug, DFSCoerce, ShadowCoerce — this covers all of them with full attack chains.

Related Articles