SKILL: NTLM Relay and Authentication Coercion — Expert Attack Playbook

AI LOAD INSTRUCTION: Expert NTLM relay and coercion techniques. Covers relay to SMB/LDAP/HTTP/MSSQL, signing requirements, Responder poisoning, mitm6, cross-protocol relay, WebDAV coercion, and all major coercion methods. Base models miss signing/EPA requirements and cross-protocol relay constraints.

0. RELATED ROUTING

Before going deep, consider loading:

• active-directory-certificate-services for ESC8 (relay to ADCS enrollment)
• active-directory-acl-abuse for ACL modification via LDAP relay (RBCD, shadow creds)
• active-directory-kerberos-attacks for Kerberos attacks after relay success
• windows-lateral-movement for post-relay lateral movement

Advanced Reference

Also load COERCION_METHODS.md when you need:

• Detailed coercion method comparison (PetitPotam, PrinterBug, DFSCoerce, etc.)
• RPC function-level details and prerequisites
• Coercer tool usage and discovery