NTLM Coercion in Active Directory — Detection & Mitigation

1. What is NTLM Coercion? NTLM coercion is an attack technique where an adversary with network access forces a Windows machine — typically a Domain Controller — to authenticate against an attacker-controlled host. That authentication travels in NTLM format and can be captured and relayed (NTLM relay) to access other domain resources, or cracked offline. The classic scenario: The attacker runs a coercion tool (Coercer, PetitPotam, PrinterBug) against a DC. The DC automatically attempts to authenticate against the attacker’s IP. The attacker captures the NTLMv2 hash and relays or cracks it. Depending on privileges, this can lead to full domain compromise. 2. Common Coercion Vectors Vector Protocol Notes Print Spooler (MS-RPRN) RPC / SMB Most historically exploited EFS (MS-EFSRPC) RPC Requires EFS to be active DFS (MS-DFSNM) RPC / SMB Common on DCs with DFS enabled WebClient (WebDAV) HTTP Requires the service to be running 3. What Changed in Windows Server 2025 Windows Server 2025 (and Server 2022 23H2 onwards) introduced significant changes that reduce the default attack surface: ...

July 6, 2026 · 3 min · Tony Merisan