Windows Hit by Authentication Coercion That Tricks Machines into Sending Credentials

Security researchers have identified a growing wave of authentication coercion attacks that exploit Windows Remote Procedure Call (RPC) mechanisms to force systems to send their credentials to attacker‑controlled machines.

Unlike traditional phishing or privilege‑escalation tactics, these attacks manipulate Windows’ built‑in network authentication behavior, requiring no user interaction or administrative privileges.

Authentication coercion misuses a legitimate Windows feature that allows systems to execute procedures on remote machines.

By abusing this mechanism, threat actors can make high‑value assets such as Domain Controllers, Certificate Authorities, and Citrix servers authenticate to malicious servers.

Once authentication occurs, attackers capture NTLM hashes and use relay attacks to move laterally or escalate privileges across the environment.

Rare RPC Interfaces Used to Evade Defenses

The trend, first observed by Unit 42 researchers, builds on earlier coercion exploits such as PrintNightmare (CVE‑2021‑34527) and PetitPotam (CVE‑2021‑36942). However, current campaigns increasingly target obscure RPC functions that evade existing detections.

Tools like DFSCoerce, ShadowCoerce, and CheeseOunce exploit lesser‑known Windows RPC protocols, such as MS‑DFSNM, MS‑FSRVP, and MS‑EVEN, which are rarely used in normal enterprise operations.

In one March 2025 attack against a healthcare organization, investigators found that adversaries used the remote event‑logging interface (MS‑EVEN) and the ElfrOpenBELW function to coerce authentication.

The activity originated from a compromised internal machine that attempted to make multiple critical assets, including RADIUS and Domain Controller servers, authenticate to an external attacker’s IP address.

Though initial credential-relay attempts failed, the attacker eventually succeeded in extracting machine account hashes from a Citrix and a Read‑Only Domain Controller, using them later in NTLM relay and DCSync operations.

Unit 42 noted that automation and proof‑of‑concept tools available publicly have significantly lowered the technical bar for conducting these operations.

As defenses hardened known vectors, threat actors pivoted to unmonitored RPC function calls, expanding the attack surface well beyond previously documented coercion paths.

Defensive Strategies and Monitoring

To defend against authentication coercion, researchers recommend strict monitoring of RPC traffic and baseline anomaly detection.

Key indicators include unusual UNC path parameters, RPC calls involving rare interface GUIDs or operation numbers (opnums), and outbound authentications to unrecognized IP addresses.

Prevention techniques include enforcing SMB signing, enabling Extended Protection for Authentication (EPA), disabling unused RPC‑based services such as the Print Spooler and File Server VSS Agent Service, and applying Windows RPC filters via netsh rpc rules.

Behavioral analytics in platforms like Cortex XDR and XSIAM can further detect coerced authentication attempts by correlating deviations from normal machine behavior.

Authentication coercion represents a subtle yet potent evolution in Windows credential theft tactics, one that demands deeper visibility into RPC behavior before attackers turn legitimate features into covert credential-extraction channels.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Windows Hit by Authentication Coercion That Tricks Machines into Sending Credentials appeared first on Cyber Security News.