Skip to content


Microsoft Windows Machine Account NTLM Coercion via File Server Remote VSS Protocol Manipulation

Base Score 5.3


Microsoft's File Server Remote VSS Protocol [MS-FSRVP] is used for creating shadow copies of file shares on a remote computer, and for facilitating backup applications in performing application-consistent backup and restore of data on SMB2 shares. An attacker controlling a domain user/computer can, manipulate one of the vulnerable methods to make it authenticate to a target of the attacker's choosing.


An attacker with unauthorized access to the network can use this vulnerability to coerce a Domain Controller to authenticate to another server using NTLM, allowing for hash capturing and NTLM relay to a vulnerable endpoint. Historically, this vulnerability has been paired with a vulnerable Active Domain Certificate Services web interface to acquire persistent credentials for the Domain Controller Machine account -- leading to a full domain compromise.