Source: #_shellntel Blog Author: unknown URL: https://blog.shellntel.com/p/using-rpc-filters-to-protect-against-coercion-attacks

ONE SENTENCE SUMMARY:

Coercion attacks exploit network vulnerabilities to escalate privileges, requiring comprehensive remediation and detection strategies beyond simple patches or fixes.

MAIN POINTS:

1. Coercion attacks force authentication requests to attacker-specified hosts, often chaining with other exploits.
2. Many organizations fail to fully remediate coercion vulnerabilities despite widespread awareness.
3. Partial remediation often focuses on ADCS or NTLMv1 downgrading, leaving other attack vectors open.
4. RPC filters in Windows can mitigate some coercion attacks but have limitations and bypasses.
5. Several well-known coercion vulnerabilities exist, including Printer Bug, PetitPotam, and DFS Coerce.
6. Microsoft has patched some vulnerabilities, but others remain exploitable with authenticated access.
7. PowerShell scripts can help automate blocking vulnerable RPC endpoints.
8. Event IDs like 5145 and 5712 can aid in detecting coercion attack attempts.
9. Domain Controllers should not run print spooler services to reduce attack surfaces.
10. Effective remediation requires patching, disabling unnecessary services, and implementing robust monitoring.

TAKEAWAYS:

1. Coercion attacks remain a serious privilege escalation threat despite existing mitigations.
2. Organizations must implement layered defenses, not just rely on patching.
3. PowerShell scripts can streamline RPC endpoint blocking for better security.
4. Monitoring Event IDs like 5145 can improve detection of attack attempts.
5. Regular security assessments are essential to identify and remediate lingering vulnerabilities.