Skip to main content
Support
IntermediateT1187

Authentication Coercion Attacks

Coercion attacks force Windows machines to authenticate to attacker-controlled servers — the critical first step in NTLM relay chains, delegation abuse, and full domain compromise.

Many Windows services have a built-in feature: when asked to contact a remote machine, they authenticate using the computer account's credentials. Attackers exploit this by asking a target machine (especially Domain Controllers) to connect back to a server they control. The target machine dutifully reaches out and presents its credentials. This is called authentication coercion, and it is the critical first step in many AD attack chains. Different Windows services can be abused: the Print Spooler (PrinterBug), the Encrypting File System service (PetitPotam), the Distributed File System (DFSCoerce), and several others. Once the credentials are captured, attackers relay them to other services like AD CS to obtain certificates, or to machines with delegation enabled to capture full Kerberos tickets.

Imagine a building where guards patrol different floors. Each guard carries a master badge that opens every door on their floor. A coercion attack is like calling a guard and saying "Come check this suspicious package on the ground floor." When the guard arrives, you photograph their badge — and now you can either clone it (relay it) or use it to enter their floor directly (capture credentials). The guard showed their badge simply because you asked them to come over. PetitPotam, PrinterBug, and DFSCoerce are different ways of making that phone call.

Key Takeaways

  1. Coercion attacks force high-value targets (DCs) to authenticate to attacker-controlled servers.
  2. PetitPotam, PrinterBug, DFSCoerce, and ShadowCoerce exploit different RPC interfaces but achieve the same result.
  3. The coercion + NTLM relay + AD CS (ESC8) chain is one of the most reliable paths to domain compromise.
  4. WebDAV coercion bypasses SMB signing requirements by forcing HTTP-based authentication.
  5. Coercer (unified tool) tests all known coercion methods against a target automatically.
  6. Disabling unnecessary services on DCs (Print Spooler, WebClient) eliminates most coercion vectors.
Why Should I Care?

Authentication coercion is the "glue" that makes NTLM relay, delegation abuse, and AD CS attacks practical. Understanding coercion techniques is essential because they are the trigger for the most devastating AD attack chains in modern penetration testing.

Defense Recommendations

Disable unnecessary services on DCs, enforce signing on all protocols, deploy EPA, and monitor for unexpected outbound authentication from DCs.

  1. 1Disable Print Spooler on all DCs: Set-Service -Name Spooler -StartupType Disabled -Status Stopped.
  2. 2Apply all MS-EFSRPC patches (PetitPotam mitigations).
  3. 3Enable SMB signing (required, not just enabled) on all DCs and servers via GPO.
  4. 4Enable LDAP signing and channel binding on all DCs.
  5. 5Enable EPA (Extended Protection for Authentication) on AD CS web enrollment, Exchange, ADFS, and other HTTP services.
  6. 6Disable the WebClient service on servers: Set-Service -Name WebClient -StartupType Disabled.
  7. 7Monitor Event ID 4624 (logon) on DCs for type 3 (network) logons where the source is not another DC or a known admin workstation.
  8. 8Deploy network detection for NTLM relay patterns: unexpected SMB/HTTP connections in rapid succession between three or more hosts.

Related Topics

NTLM Relay AttacksPrint Spooler Abuse & PrintNightmareAD CS Abuse (Certificate Attacks)Kerberos Delegation Abuse
Sources
MSSQL Server & AD Abuse
SourceSudo

Content sourced from Microsoft Documentation, MITRE ATT&CK Framework, NIST SP 800-63/171, adsecurity.org (Sean Metcalf), SpecterOps research, and SANS Reading Room. For educational purposes only.

MITRE ATT&CKADSecurity.org