You Thought It Was Over? Authentication Coercion Keeps Evolv...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://unit42.paloaltonetworks.com/authentication-coercion/
• Blog Title: You Thought It Was Over? Authentication Coercion Keeps Evolving
• Suggested Section: Windows -> Active Directory -> NTLM Relay & Coerced Authentication (RPC UNC-path abuse), with a subsection covering MS-EVEN ElfrOpenBELW and an updated matrix for MS-RPRN/MS-EFSR/MS-DFSNM/MS-FSRVP/MS-PAR/MS-EVEN

🎯 Content Summary

Topic: Authentication coercion in Windows/AD via RPC functions that accept UNC paths, forcing targets (including Tier 0 assets) to auto-authenticate to attacker-controlled hosts. This enables NTLM hash capture/relay and can culminate in domain compromise.

How authentication coercion works (low level):

1) Many Windows RPC interfaces expose methods (opnums) callable by low-privileged users across the network.
2) Several methods take UNC path parameters (e...
🔧 Technical Details
Generic RPC-based authentication coercion: Target RPC methods that accept UNC parameters to trigger Windows auto-authentication to an attacker-controlled UNC (e.g., \\attacker\share). Capture or relay the resulting NTLM credentials. Prefer rarely used interfaces/opnums to evade detections focused on popular bugs.
MS-EVEN ElfrOpenBELW (opnum 9) technique: Invoke ElfrOpenBELW on a remote host and supply a UNC pointing to attacker infrastructure. The EventLog Remoting protocol causes the target to authenticate to that UNC, enabling NTLM capture/relay. This opnum is infrequently used in many environments, making it a lower-noise coercion vector.
NTLM relay to AD CS: After coercing high-value machines (DCs, RODC, Citrix) to authenticate outward, relay machine-account NTLM to CA endpoints to perform certificate-related operations. With relayed machine credentials and subsequent access, attackers can progress toward domain dominance (e.g., DCSy...
🤖 Agent Actions
I analyzed the Unit42 post and explored the HackTricks repo to find the right place to add concise, high-value technical content about RPC-based authentication coercion and MS-EVEN ElfrOpenBELW.
What I found

HackTricks already has a “Force NTLM Privileged Authentication” page focused on Print Spooler (PrinterBug) and some client-side and in-host coercion (Win Defender, MSSQL, HTML/Email), but it lacked:

A unified RPC UNC-path coercion matrix covering MS-RPRN, MS-PAR, MS-EFSR, MS-DFSNM, MS-FSRVP, and MS-EVEN with pipes, UUIDs, and opnums.
A technique-focused section for MS-EVEN ElfrOpenBELW (opnum 9).
Concrete detection and hardening guidance reflecting modern RPC filtering via netsh rpc.



Decision

Best place to update: src/windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md, because this page is already the home for “force authentication” techniques and references Coercer, Spooler abuse, and related vectors.
I updated this single file, adding:

A concise RPC UNC-path coercion matrix with the relevant pipe, interface UUID, opnums, tools, and notes.
A new subsection dedicated to MS-EVEN ElfrOpenBELW (opnum 9) coercion, with call signature, effect, and practical use.
A detection and hunting subsection aligned with the blog (rare interfaces/opnums, UNC parameter inspection, burst patterns, and downstream signals).
A prevention/hardening subsection including netsh rpc filter examples to block specific interface/opnum, SMB signing, EPA on AD CS, disabling unused services, and reducing NTLM.



Changes implemented

Modified file (single file only):

src/windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md


Additions include:

“RPC UNC-path coercion matrix (interfaces/opnums that trigger outbound auth)” listing:

MS-RPRN (spoolss) opnums 62/65
MS-PAR (spoolss) opnum 0
MS-EFSR (efsrpc/lsarpc/samr/lsass/netlogon) multiple opnums including 0/4/5/6/7/12/13/15/16
MS-DFSNM (netdfs) opnums 12/13
MS-FSRVP (FssagentRpc) opnums 8/9
MS-EVEN (even) opnum 9 (ElfrOpenBELW)


“MS-EVEN: ElfrOpenBELW (opnum 9) coercion” subsection summarizing call signature and impact.
“Detection and hunting” subsection with practical baselining and anomaly signals.
“Prevention / hardening” subsection with an explicit netsh rpc filter example:

netsh rpc filter add condition field=if_uuid ...
netsh rpc filter add condition field=opnum ...
netsh rpc filter add rule layer=um actiontype=block persistence=yes


A References section added at the end of the file with direct links to:

Unit42 blog (the provided URL)
Microsoft MS-EVEN spec and ElfrOpenBELW doc
Microsoft netsh rpc command doc
p0dalirius windows-coerced-authentication-methods catalog
Tooling repos: PetitPotam, DFSCoerce, ShadowCoerce





Notes

I preserved all existing content and style, and appended the new matrix and sections under “RCP Force authentication,” keeping the page cohesive.
I added a References section immediately before the training banner as required.
I did not create any new pages, and updated only one file to comply with the “one file only” rule.


This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.
📚 Repository Maintenance

MD files processed: 907
MD files fixed: 1

All .md files have been checked for proper formatting (headers, includes, etc.).

[carlospolop]

🔗 Additional Context

Original Blog Post: https://unit42.paloaltonetworks.com/authentication-coercion/

Content Categories: Based on the analysis, this content was categorized under "Windows -> Active Directory -> NTLM Relay & Coerced Authentication (RPC UNC-path abuse), with a subsection covering MS-EVEN ElfrOpenBELW and an updated matrix for MS-RPRN/MS-EFSR/MS-DFSNM/MS-FSRVP/MS-PAR/MS-EVEN".

Repository Maintenance:

• MD Files Formatting: 907 files processed (1 files fixed)

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

[carlospolop]

merge