///
Depth Security in the reports for 2026 continue to find hosts vulnerable to CVE-2025-33073 (CVSS 8.8), including domain controllers and Tier-0 servers. "Whether its enterprise domain controllers, tier-zero servers, or random workstations, we are find hosts still affected by this issue on every almost engagement". And here’s what’s funny: even the included SMB-singing doesn’t save – NTLM Reflection allows cross-protocol relay to LDAP and AD CS past all the signatures.
NTLM coercion attacks in Active Directory are not just alive. They mutate faster than corporate teams have time to close gaps. Here is the full picture: mechanics, vector selection, practical exploitation and real blind SOC zones, which we see on projects over and over again.
The location of the coercion in the kill chain attack on Active Directory
Forced NTLM authentication is not an independent attack, but an amplifier. Between “there is domain accounting” and “there is a Domain Admin” coercion – the very missing link. In terms of MITRE ATT&CK, the chain looks like this:
And here's what to remember: for coercion enough Any Domain Account. Not administrative. Not a service. Ordinary corp\testuser the right to call RPC functions on any domain host - it is by design. Microsoft has refused to recognize this as a vulnerability. According to the documents, everything is regular. In practice - the vector to the DA in 15 minutes.
Initial Access - phishing, external service operation, purchased or issued by credentials
Credential Access - coercion forces the target machine to authenticate on a controlled server. Adversary-in-the-Middle (T1557)
Privilege Escalation - relay of captured authentication on AD CS, LDAP or SMB. Obtaining a certificate or privileged access
Lateral Movement - Pass the Hash (T1550.002), Remote Services (T1021)
Credential Dumping - DCSync through secretsdump.py(T1003, OS Credential Dumping)
Context of application - exclusively Internal Pentest or red team-campaign with already received bridgehead in the network. On the outer perimeter of coercion via RPC is irrelevant: you need direct network access to RPC ports of the target host.
How NTLM Compulsory Authentication Works
RPC functions under the hood of coercion-attacks
RPC (Remote Procedure Call) is a fundamental mechanism for interprocess interaction in Windows. A bunch of protocols use RPC as transport: MS-EFSRPC (feeds encryption), MS-RPRN (print), MS-DFSNM (distributed file system), MS-EVEN (even event journal).
The problem is that a number of RPC functions take the UNC-road (format) \\IP\Share\path) as a parameter. When the server processes such a call, it initiates a reverse connection to the specified address - with automatic authentication from the computer account. The attacker substitutes its IP instead of a legitimate resource and receives authentication on the platter.
According to Unit 42 (Palo Alto Networks), documented 16 working functions in five protocols suitable for authentication coercion. The researchers directly say: more than 240 functions have not yet been tested Potentially operated in the same way. Two hundred and forty. Untested. This is not a theoretical problem – it is an arsenal that opens as standard vectors are blocked.
Coercion Techniques and Their Status in 2026
PetitPotam - MS-EFSRPC
CVE-2021-36942 - Windows LSA Spoofing Vulnerability, CVSS 7.5 (HIGH), vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. Included in CISA KEV marked ransomware-connected. Description CISA: “The vulnerability allows an unauthenticant to trigger a method on the LSARPC interface and force the domain controller to authenticate on another server via NTLM.”
Author - researcher Gilles Lionel (topotam), PoC published in July 2021. Operates the functions of MS-EFSRPC (EfsRpcOpenFileRaw and analogues) through name pipe \pipe\efsrpc or \pipe\lsarpc on top of SMB (445/TCP).
Status in 2026: Microsoft patch KB5005033 blocked some of the methods through the LSARPC interface without authentication. But authenticated coercion through the EFSRPC interface (named pipe) \pipe\efsrpc) still works with any domain records. In practice: there is a low-privdentials - PetitPotam remains a working vector in most environments.
Tool: petitpotam.py (Advantably maintained by the community).
PrinterBug / SpoolSample - MS-RPRN
Exploits the function RpcRemoteFindFirstPrinterChangeNotificationEx Print Spooler services. Described by Lee Christensen (SpecherOps) in 2018; Microsoft did not appropriate CVE, considering behavior by design. Not to be confused with PrintNightmare (CVE-2021-34527, CVSS 8.8, HIGH, CISA KEV) is a separate RCE-vulnerability through RpcAddPrinterDriverEx of the same service.
Status in 2026: Print Spooler is increasingly disabled on Microsoft’s servers. On workstations - usually included. Checked through ls \\target\pipe\spoolss.
Limitation: Disabling Spooler only blocks this vector. All other coercion techniques continue to work - it's like punching one window in the house with twenty.
DFSCoerce - MS-DFSNM
Published by researcher Filip Dragowić (Wh04m1001) as a response to PetitPotam blocking and disabling Print Spooler. Uses a distributed file system protocol.
According to CERT/CC: “Bringing a NTLM authentication request from a domain controller to the Web Service Certificate Authority Web Enrollment, an attacker can obtain a certificate that is used to obtain TGT.”
Status in 2026: works with the DFS service. On the controllers of the DFS domain is included often - which is logical, but unpleasant for the defenders.
Rare RPC-interfaces: a trend that is not in Russian-language sources
According to Unit 42, in March 2025, a real attack on the organization in the field of health was recorded: the attackers used the interface MS-EVEN (remote event logging) for authentication coercion. This interface is not monitored by standard means - 30 days before the incident, not a single machine in the network of the organization used this protocol. Cortex XDR (Palo Alto Networks) generated analt "Possible authentication coercion" on this atypical RPC call.
Unit 42 puts a trend: "Attackers are now leaning pushing, rare unseen RPC functions to avoid by detection by defense trade mechanisms". Defenders write the rules under PetitPotam and PrinterBug - the attackers switch to less-known opnum. Classic cat-mouse.
Tool: Coercer (actively supported) automates the search of all known coercion functions in all protocols.
What to Use: Decisionition for a Pentester
Algorithm on a real project (Grey box, there are low-priv songs):
Most of the projects have the first three steps. If it comes to Coercer, then the customer has a good hardening. But “not bad” and “sufficient” are different things.
Check Spooler: ls \\target\pipe\spoolss- if available, start with PrinterBug
No Sporoler - check DFS: rpcdump.py @TargeT | grep DFSNM
No DFS - PetitPotam with authentication
PetitPotam blocked - launch Coercerto override all interfaces
Check WebClient in parallel: ls \\target\pipe\DAVRpcServicePipe
Find AD CS with web enrollment: nxc ldap dc01.corp.local -u user -p pass -M adcs
Form relay-list hosts without SMB signing: nxc smb 10.0.0.0/24 -u user -p pass --gen-relay-list targets.txt
CVE-2025-33073: NTLM Reflection changes the rules
CVE-2025-33073 - Improper Access Control in Windows SMB, CVSS 8.8 (HIGH), vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, CWE-284 (Improper Access Control). Description CISA: “A malicious person can perform a specially formed script to force the victim’s machine to connect to the SMB attack system and authenticate.”
The essence: with NTLM-authification on a local machine, the server informs the client through the “Negoth Local Call” flag that a full-fledged challenge-response is not needed. A client (lsass.exe working as SYSTEM) copies its token into server context. The attacker registers a DNS-recording of a specific format in AD DNS - it is available All Authenticated Users by default - and through coercion makes LsapCheckMarshalledTargetInfo Consider the connection local. Result: SYSTEM-token on the target vehicle.
Cross-protocol relay: bypass SMB signing
Classical mantra "t turn on SMB-singing - and relay does not work" here does not work.
This is a separate primitive from the classic cross-protocol relay (e.g., SMB→AD CS web enrollment / ESC8), which works without CVE. Both vectors can be combined in one attack chain.
When re-attack, the “Negotiate Local Call” flag allows you to bypass the standard challenge-response, which distinguishes it from the classic relay. On Exploit-DB published PoC: EDB-52330 (author Mohammed Idrees Banyamer, remote/windows, «Windows 11 SMB Client - Privilege Escalation & Remote Code Execution).
Prerequisites:
Applicability: internal pentest, grey box. Modern-infrastructure with SMB-down - still vulnerable in the absence of a patch. That is why this CVE is so dangerous: it breaks a model that everyone is accustomed to rely on.
Ability to add DNS record to AD DNS (default - all Authenticated Users) or LLMNR/NNNNS poisoning in broadcast domain
Ability to perform coercion (any technique above)
No patch CVE-2025-33073 on target host
CVE-2025-24054: NTLM hashes leak through the file system
CVE-2025-24054 - External Control of File Name or Path, CVSS 6.5 (MEDIUM), vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N, CWE-73. Added to CISA KEV on April 17, 2025.
Unlike RPC coercion, this vulnerability is exploited through specially generated files .library-ms. With a minimum user interaction - a preview of the file in the conductor, clicking on the link - Windows automatically initiates NTLM-authentication to the server specified in the file. The user did not even open the file, and the hash has already left.
The CVE-2025-24054 continues the trend set by the previous CVE-2024-43451 (NTLM Hash Disclosure Spoofoding, CVSS 6.5), which was also used in real attacks. On Exploit-DB published three PoCs: EDB-52280 (hyp3rinx, local), EDB-52480 (date of publication in Exploit-DB: 2026-02-11) and EDB-52478 (date of publication in Exploit-DB: 2026-02-04) (beatrizfn, remote) - the dates are indicated by source as it is.
Difference from RPC coercion: does not require network access to the ports of the target. Works through a phishing vector - applicable for both internal and internal External Pentest. This is the only technique in the review that hits the perimeter.
Practice: coercion → relay → domain capture
Adjustments to the environment
Attacker OS: Kali Linux 2025.x+ (or any Linux with Python 3.10+)
Tools: Impacket (ntlmrelayx.py, secretsdump.py, rcudump.py), petitpotamp.py, Coercer, NetExec (nxc)
Network conditions: access to the target subnet (ports 135, 445, 389, 80/443 for ADC)
Credentials: any domain accounting (low-priv)
Scenario: grey box - customer issued corp\testuser
assword123
What will light up in SIEM and where the blind spots of the detect
Coercion attacks leave traces, but not where SOC is used to watching.
What is detected by standard means:
What is not detected:
Event ID 4624 (Logon Type 3) from DC machine-to-unactuous host, but in large domains Logon Type 3 generates such a volume of events that without baseline filtering turns into torture
Sigma-rules for T1550.002: win_susp_ntlm_auth.yml(Suspicious NTLM-authentimentation), win_security_potential_pass_the_hash.yml. For T1557: zeek_dns_kerberos_coercion_via_dns_object_spn_spoofing.yml(coercion detection through DNS manipulation)
NTLMv1 downgrade: rule win_system_lsasrv_ntlmv1.ymlcatches the use of outdated NTLMv1, which often accompanies relay
Cortex XDR (Palo Alto Networks) - built-in "Possible authentication coercion", which worked in the Unit 42 case with MS-EVEN
Recommendation for blue team: audit of NTLM traffic through GPO (Network Security → Restrict NTLM → Audit All), monitoring of all RPC-contacts to DC (not only known UUID), an alterth to DNS record with specific padding in the name (characteristic marker NTLM Reflection).
Rare RPC calls (MS-EVEN and analogues) - the rules are sharpened under MS-EFSRPC and MS-RPRN. Unit 42 confirms: standard means are missed through atypical opnum
Registration of DNS records for NTLM Reflection is a legitimate action for Authenticated Users. Monitoring of all DNS update in AD DNS is configured in units
Certificate enrollment at AD CS, according to Cayosoft, “standard security tools is the authentication and certificate enrollmentation that antality an active petitPat mechanism attack.” Request for a certificate from machine-registered through web enrollment looks normal
Cross-protocol relay - SOC monitors SMB-authentication, and relay goes to HTTP/LDAP. Different protocols, different logs, different commands - and between them the gap in which the whole attack fits
Protective measures: what works and what is the theater of safety
NETSH RPC filter Deserves a separate conversation. All coercion-technics combine a common set of UUID RPC-interfaces. The filter blocks the call of functions on UUID at the level of RPC runtime Windows - without disrupting the legitimate services if the UUID list is correct. A detailed analysis of specific UUID and testing is published in the USSC article on Habra. Key requirement: The UUID list must be maintained up to date by adding new interfaces as they are detected. I abandoned the update - received a new vector in six months.
According to Verizon 2025 DBIR (link from SentinelOne), 31% of all leaks over the past decade are associated with account theft. NTLM coercion is one of the most effective methods of such theft in corporate Windows environments. And while NTLM is alive - and it will be alive in hybrid infrastructures for years - coercion remains the standard step on every internal pentest.
According to the experience, NTLM relay is stable in reports on internal AD infrastructure pentests. And almost every time the customer is surprised: “we turned on SMB signing.” Included - on servers. There is no workplan. Or turned on the signing, but did not tune the EPA to AD CS. Or closed everything, but did not roll the patch CVE-2025-3073 - and Reflection passes through all signatures.
The problem is not the lack of defense mechanisms. Microsoft has given everything you need. The problem is that coercion requires the defenders to simultaneously close dozens of RPC interfaces, multiple protocols and all levels of authentication. Missed one - the model crumbles. An attacker is enough one working vector of dozens.
The 240+ untested RPC functions described by Unit 42 are an arsenal that will be unfolded as standard vectors are blocked. For a penesster, this means one thing: gliders like Coercer will become the norm, and the manual launch of one PetitPotam will go into the past. Who is still limited only to them - leaves money on the table.
Depth Security in the reports for 2026 continue to find hosts vulnerable to CVE-2025-33073 (CVSS 8.8), including domain controllers and Tier-0 servers. "Whether its enterprise domain controllers, tier-zero servers, or random workstations, we are find hosts still affected by this issue on every almost engagement". And here’s what’s funny: even the included SMB-singing doesn’t save – NTLM Reflection allows cross-protocol relay to LDAP and AD CS past all the signatures.
NTLM coercion attacks in Active Directory are not just alive. They mutate faster than corporate teams have time to close gaps. Here is the full picture: mechanics, vector selection, practical exploitation and real blind SOC zones, which we see on projects over and over again.
The location of the coercion in the kill chain attack on Active Directory
Forced NTLM authentication is not an independent attack, but an amplifier. Between “there is domain accounting” and “there is a Domain Admin” coercion – the very missing link. In terms of MITRE ATT&CK, the chain looks like this:
And here's what to remember: for coercion enough Any Domain Account. Not administrative. Not a service. Ordinary corp\testuser the right to call RPC functions on any domain host - it is by design. Microsoft has refused to recognize this as a vulnerability. According to the documents, everything is regular. In practice - the vector to the DA in 15 minutes.
Initial Access - phishing, external service operation, purchased or issued by credentials
Credential Access - coercion forces the target machine to authenticate on a controlled server. Adversary-in-the-Middle (T1557)
Privilege Escalation - relay of captured authentication on AD CS, LDAP or SMB. Obtaining a certificate or privileged access
Lateral Movement - Pass the Hash (T1550.002), Remote Services (T1021)
Credential Dumping - DCSync through secretsdump.py(T1003, OS Credential Dumping)
Context of application - exclusively Internal Pentest or red team-campaign with already received bridgehead in the network. On the outer perimeter of coercion via RPC is irrelevant: you need direct network access to RPC ports of the target host.
How NTLM Compulsory Authentication Works
RPC functions under the hood of coercion-attacks
RPC (Remote Procedure Call) is a fundamental mechanism for interprocess interaction in Windows. A bunch of protocols use RPC as transport: MS-EFSRPC (feeds encryption), MS-RPRN (print), MS-DFSNM (distributed file system), MS-EVEN (even event journal).
The problem is that a number of RPC functions take the UNC-road (format) \\IP\Share\path) as a parameter. When the server processes such a call, it initiates a reverse connection to the specified address - with automatic authentication from the computer account. The attacker substitutes its IP instead of a legitimate resource and receives authentication on the platter.
According to Unit 42 (Palo Alto Networks), documented 16 working functions in five protocols suitable for authentication coercion. The researchers directly say: more than 240 functions have not yet been tested Potentially operated in the same way. Two hundred and forty. Untested. This is not a theoretical problem – it is an arsenal that opens as standard vectors are blocked.
Coercion Techniques and Their Status in 2026
PetitPotam - MS-EFSRPC
CVE-2021-36942 - Windows LSA Spoofing Vulnerability, CVSS 7.5 (HIGH), vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. Included in CISA KEV marked ransomware-connected. Description CISA: “The vulnerability allows an unauthenticant to trigger a method on the LSARPC interface and force the domain controller to authenticate on another server via NTLM.”
Author - researcher Gilles Lionel (topotam), PoC published in July 2021. Operates the functions of MS-EFSRPC (EfsRpcOpenFileRaw and analogues) through name pipe \pipe\efsrpc or \pipe\lsarpc on top of SMB (445/TCP).
Status in 2026: Microsoft patch KB5005033 blocked some of the methods through the LSARPC interface without authentication. But authenticated coercion through the EFSRPC interface (named pipe) \pipe\efsrpc) still works with any domain records. In practice: there is a low-privdentials - PetitPotam remains a working vector in most environments.
Tool: petitpotam.py (Advantably maintained by the community).
PrinterBug / SpoolSample - MS-RPRN
Exploits the function RpcRemoteFindFirstPrinterChangeNotificationEx Print Spooler services. Described by Lee Christensen (SpecherOps) in 2018; Microsoft did not appropriate CVE, considering behavior by design. Not to be confused with PrintNightmare (CVE-2021-34527, CVSS 8.8, HIGH, CISA KEV) is a separate RCE-vulnerability through RpcAddPrinterDriverEx of the same service.
Status in 2026: Print Spooler is increasingly disabled on Microsoft’s servers. On workstations - usually included. Checked through ls \\target\pipe\spoolss.
Limitation: Disabling Spooler only blocks this vector. All other coercion techniques continue to work - it's like punching one window in the house with twenty.
DFSCoerce - MS-DFSNM
Published by researcher Filip Dragowić (Wh04m1001) as a response to PetitPotam blocking and disabling Print Spooler. Uses a distributed file system protocol.
According to CERT/CC: “Bringing a NTLM authentication request from a domain controller to the Web Service Certificate Authority Web Enrollment, an attacker can obtain a certificate that is used to obtain TGT.”
Status in 2026: works with the DFS service. On the controllers of the DFS domain is included often - which is logical, but unpleasant for the defenders.
Rare RPC-interfaces: a trend that is not in Russian-language sources
According to Unit 42, in March 2025, a real attack on the organization in the field of health was recorded: the attackers used the interface MS-EVEN (remote event logging) for authentication coercion. This interface is not monitored by standard means - 30 days before the incident, not a single machine in the network of the organization used this protocol. Cortex XDR (Palo Alto Networks) generated analt "Possible authentication coercion" on this atypical RPC call.
Unit 42 puts a trend: "Attackers are now leaning pushing, rare unseen RPC functions to avoid by detection by defense trade mechanisms". Defenders write the rules under PetitPotam and PrinterBug - the attackers switch to less-known opnum. Classic cat-mouse.
Tool: Coercer (actively supported) automates the search of all known coercion functions in all protocols.
What to Use: Decisionition for a Pentester
Algorithm on a real project (Grey box, there are low-priv songs):
Most of the projects have the first three steps. If it comes to Coercer, then the customer has a good hardening. But “not bad” and “sufficient” are different things.
Check Spooler: ls \\target\pipe\spoolss- if available, start with PrinterBug
No Sporoler - check DFS: rpcdump.py @TargeT | grep DFSNM
No DFS - PetitPotam with authentication
PetitPotam blocked - launch Coercerto override all interfaces
Check WebClient in parallel: ls \\target\pipe\DAVRpcServicePipe
Find AD CS with web enrollment: nxc ldap dc01.corp.local -u user -p pass -M adcs
Form relay-list hosts without SMB signing: nxc smb 10.0.0.0/24 -u user -p pass --gen-relay-list targets.txt
CVE-2025-33073: NTLM Reflection changes the rules
CVE-2025-33073 - Improper Access Control in Windows SMB, CVSS 8.8 (HIGH), vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, CWE-284 (Improper Access Control). Description CISA: “A malicious person can perform a specially formed script to force the victim’s machine to connect to the SMB attack system and authenticate.”
The essence: with NTLM-authification on a local machine, the server informs the client through the “Negoth Local Call” flag that a full-fledged challenge-response is not needed. A client (lsass.exe working as SYSTEM) copies its token into server context. The attacker registers a DNS-recording of a specific format in AD DNS - it is available All Authenticated Users by default - and through coercion makes LsapCheckMarshalledTargetInfo Consider the connection local. Result: SYSTEM-token on the target vehicle.
Cross-protocol relay: bypass SMB signing
Classical mantra "t turn on SMB-singing - and relay does not work" here does not work.
This is a separate primitive from the classic cross-protocol relay (e.g., SMB→AD CS web enrollment / ESC8), which works without CVE. Both vectors can be combined in one attack chain.
When re-attack, the “Negotiate Local Call” flag allows you to bypass the standard challenge-response, which distinguishes it from the classic relay. On Exploit-DB published PoC: EDB-52330 (author Mohammed Idrees Banyamer, remote/windows, «Windows 11 SMB Client - Privilege Escalation & Remote Code Execution).
Prerequisites:
Applicability: internal pentest, grey box. Modern-infrastructure with SMB-down - still vulnerable in the absence of a patch. That is why this CVE is so dangerous: it breaks a model that everyone is accustomed to rely on.
Ability to add DNS record to AD DNS (default - all Authenticated Users) or LLMNR/NNNNS poisoning in broadcast domain
Ability to perform coercion (any technique above)
No patch CVE-2025-33073 on target host
CVE-2025-24054: NTLM hashes leak through the file system
CVE-2025-24054 - External Control of File Name or Path, CVSS 6.5 (MEDIUM), vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N, CWE-73. Added to CISA KEV on April 17, 2025.
Unlike RPC coercion, this vulnerability is exploited through specially generated files .library-ms. With a minimum user interaction - a preview of the file in the conductor, clicking on the link - Windows automatically initiates NTLM-authentication to the server specified in the file. The user did not even open the file, and the hash has already left.
The CVE-2025-24054 continues the trend set by the previous CVE-2024-43451 (NTLM Hash Disclosure Spoofoding, CVSS 6.5), which was also used in real attacks. On Exploit-DB published three PoCs: EDB-52280 (hyp3rinx, local), EDB-52480 (date of publication in Exploit-DB: 2026-02-11) and EDB-52478 (date of publication in Exploit-DB: 2026-02-04) (beatrizfn, remote) - the dates are indicated by source as it is.
Difference from RPC coercion: does not require network access to the ports of the target. Works through a phishing vector - applicable for both internal and internal External Pentest. This is the only technique in the review that hits the perimeter.
Practice: coercion → relay → domain capture
Adjustments to the environment
Attacker OS: Kali Linux 2025.x+ (or any Linux with Python 3.10+)
Tools: Impacket (ntlmrelayx.py, secretsdump.py, rcudump.py), petitpotamp.py, Coercer, NetExec (nxc)
Network conditions: access to the target subnet (ports 135, 445, 389, 80/443 for ADC)
Credentials: any domain accounting (low-priv)
Scenario: grey box - customer issued corp\testuser
assword123What will light up in SIEM and where the blind spots of the detect
Coercion attacks leave traces, but not where SOC is used to watching.
What is detected by standard means:
What is not detected:
Event ID 4624 (Logon Type 3) from DC machine-to-unactuous host, but in large domains Logon Type 3 generates such a volume of events that without baseline filtering turns into torture
Sigma-rules for T1550.002: win_susp_ntlm_auth.yml(Suspicious NTLM-authentimentation), win_security_potential_pass_the_hash.yml. For T1557: zeek_dns_kerberos_coercion_via_dns_object_spn_spoofing.yml(coercion detection through DNS manipulation)
NTLMv1 downgrade: rule win_system_lsasrv_ntlmv1.ymlcatches the use of outdated NTLMv1, which often accompanies relay
Cortex XDR (Palo Alto Networks) - built-in "Possible authentication coercion", which worked in the Unit 42 case with MS-EVEN
Recommendation for blue team: audit of NTLM traffic through GPO (Network Security → Restrict NTLM → Audit All), monitoring of all RPC-contacts to DC (not only known UUID), an alterth to DNS record with specific padding in the name (characteristic marker NTLM Reflection).
Rare RPC calls (MS-EVEN and analogues) - the rules are sharpened under MS-EFSRPC and MS-RPRN. Unit 42 confirms: standard means are missed through atypical opnum
Registration of DNS records for NTLM Reflection is a legitimate action for Authenticated Users. Monitoring of all DNS update in AD DNS is configured in units
Certificate enrollment at AD CS, according to Cayosoft, “standard security tools is the authentication and certificate enrollmentation that antality an active petitPat mechanism attack.” Request for a certificate from machine-registered through web enrollment looks normal
Cross-protocol relay - SOC monitors SMB-authentication, and relay goes to HTTP/LDAP. Different protocols, different logs, different commands - and between them the gap in which the whole attack fits
Protective measures: what works and what is the theater of safety
NETSH RPC filter Deserves a separate conversation. All coercion-technics combine a common set of UUID RPC-interfaces. The filter blocks the call of functions on UUID at the level of RPC runtime Windows - without disrupting the legitimate services if the UUID list is correct. A detailed analysis of specific UUID and testing is published in the USSC article on Habra. Key requirement: The UUID list must be maintained up to date by adding new interfaces as they are detected. I abandoned the update - received a new vector in six months.
According to Verizon 2025 DBIR (link from SentinelOne), 31% of all leaks over the past decade are associated with account theft. NTLM coercion is one of the most effective methods of such theft in corporate Windows environments. And while NTLM is alive - and it will be alive in hybrid infrastructures for years - coercion remains the standard step on every internal pentest.
According to the experience, NTLM relay is stable in reports on internal AD infrastructure pentests. And almost every time the customer is surprised: “we turned on SMB signing.” Included - on servers. There is no workplan. Or turned on the signing, but did not tune the EPA to AD CS. Or closed everything, but did not roll the patch CVE-2025-3073 - and Reflection passes through all signatures.
The problem is not the lack of defense mechanisms. Microsoft has given everything you need. The problem is that coercion requires the defenders to simultaneously close dozens of RPC interfaces, multiple protocols and all levels of authentication. Missed one - the model crumbles. An attacker is enough one working vector of dozens.
The 240+ untested RPC functions described by Unit 42 are an arsenal that will be unfolded as standard vectors are blocked. For a penesster, this means one thing: gliders like Coercer will become the norm, and the manual launch of one PetitPotam will go into the past. Who is still limited only to them - leaves money on the table.
Last edited:
