Skip to content


Microsoft Windows Machine Account NTLM Coercion via Authenticated LSARPC Spoofing

Base Score 5.3


The Microsoft Encrypted File System Remote Protocol (MS-EFSRPC) performs maintenance and management operations on encrypted data that is stored remotely and accessed over a network. When a system handles certain EFSRPC requests, it uses NTLM authentication by default to connection to a file specified in the request. The resulting NTLM authentication information contains the machine account of the system. The EfsRpcEncryptFileSrv method can be invoked by an authenticated domain user, allowing an attacker to coerce a target system. This has been designated a "no fix" issue by Microsoft.


An attacker with access to low privileged user credentials can use this vulnerability to coerce a Domain Controller to authenticate to another server using NTLM, allowing for hash capturing and NTLM relay to a vulnerable endpoint. Historically, this vulnerability has been paired with a vulnerable Active Domain Certificate Services web interface to acquire persistent credentials for the Domain Controller Machine account -- leading to a full domain compromise.