MS-RPC Coercion Attacks
Coercion attacks force a Windows machine to authenticate to a server you control using NTLM — then relay that authentication. The DC machine account authenticating to your relay gives you NTLM hash to relay, a TGT for DCSync, or an ADCS certificate for persistent access. PetitPotam, PrinterBug, DFSCoerce, ShadowCoerce — this covers all of them with full attack chains.
Members Only Content
This article is exclusively available to registered members of LazyHackers. Login or subscribe to read.