Authentication Coercion - Rare RPC Abuse Escalates Domain Risk

Authentication coercion attacks force Windows machines to authenticate to attacker-controlled servers, enabling NTLM hash theft and relay to privileged services (T1557, T1556, T1040). Unit 42 reports growing abuse of rarely monitored RPC interfaces like MS-EVEN (ElfrOpenBELW opnum 9), beyond well-known vectors such as PrintNightmare/PetitPotam. In a 2025 case, attackers coerced multiple servers (including DCs/RODCs/Citrix) and relayed machine-account hashes to Certificate Authority servers, attempting DCSync (T1003.006). The technique misuses auto-authentication to UNC paths in RPC calls, sometimes requiring only low-privileged domain access. Attackers enumerate obscure opnums across MS-RPRN, MS-EFSR, MS-DFSNM, MS-FSRVP, MS-PAR, and MS-EVEN, increasing detection complexity. Once coerced credentials are captured, adversaries perform NTLM relay to escalate privileges, enroll certificates, or pivot laterally. Business risk: one coerced domain controller or Citrix server can enable enterprise-wide compromise, impacting confidentiality, integrity, and availability. Compliance risk arises if relayed credentials enable access to regulated datasets. The technique often evades point detections that only cover famous opnums. Mitigations: enforce SMB signing and Extended Protection for Authentication (EPA), disable unused RPC services (e.g., File Server VSS Agent), and filter RPC with netsh. Build analytics for rare interface/opnum usage, block relays to AD CS, and audit for anomalous RPC to external IPs. Combine with credential guard and NTLM hardening.