AD-COERCEInitial Access

Authentication Coercion

Force a target machine account to authenticate to attacker — PetitPotam (EFSRPC), PrinterBug (RPRN), DFSCoerce (DFSNM).

§ Where this technique fits

AD-COERCE is catalogued under the Initial Access tactic of the offensive-security kill-chain. It appears in 2 approved dossiers in the registry, typically at step 3.5 on average.

§ Dossiers chaining this technique

PetitPotam + ADCS ESC8 → Domain Controller takeover
Coerce a DC's machine account to authenticate to the attacker, relay that NTLM to the ADCS HTTP web-enrollment endpoint, and obtain a DC certificate for full domain compromise.
step 3 / 6
Unconstrained delegation → Capture DC TGT → DCSync
Compromise a host with TRUSTED_FOR_DELEGATION, coerce a DC to authenticate to it, harvest the DC's TGT from its LSASS, then DCSync.
step 4 / 7

§ What commonly comes next

01
ADCS ESC8 — HTTP Web Enrollment NTLM Relay
AD-ESC8 · Credential Access
seen 1×
02
Unconstrained Delegation Abuse
AD-UNC-DEL · Lateral Movement
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

PetitPotam + ADCS ESC8 → Domain Controller takeover

Unconstrained delegation → Capture DC TGT → DCSync

§ What commonly comes next