CredCoerce.md

CredCoerce

Sends RPC calls to coerce a system to authenticate to a remote system

Synopsis

CredCoerce [options] -Techniques <ComponentSelector`1[]> <ServerName> <VictimPath>

Parameters

Name	Aliases	Value	Description
<ServerName>		<String>	Name of computer to coerce
<VictimPath>		<String>	Path to send in RPC call

Options

Name	Aliases	Value	Description
-Techniques		<ComponentSelector`1[]>	List of coercion techniques to attempt
			Possible values:
			*
			Efs.OpenFile
			Efs.EncryptFile
			Efs.DecryptFile
			Efs.QueryUsersOnFile
			Efs.QueryRecoveryAgents
			Efs.RemoveUsersFromFile
			Efs.AddUsersToFile
			Efs.FileKeyInfo
			Efs.DuplicateEncryptionInfoFile
			Efs.AddUsersToFileEx
			Efs.FileKeyInfoEx
			Efs.GetEncryptedFileMetadata
			Efs.SetEncryptedFileMetadata
			Efs.EncryptFileExSrv
-ConsoleOutputStyle	-OutputStyle	<OutputStyle>	Determines the output style
			Possible values:
			Freeform
			Raw
			Table
			List
			Csv
			Tsv
			Json
-OutputHeaders		<SwitchParam>	Print headers for table/list/CSV/TSV styles
			Default: True
-SpnOverride		<SpnMapping[]>	Specifies an SPN override
-AuthProxy		<EndPoint>	Endpoint of auth proxy
-Socks5		<host-or-ip:port>	End point of SOCKS 5 server to use

Output

Name	Aliases	Value	Description
-LogLevel		<LogMessageSeverity>	Sets the lowest level of messages to log
			Possible values:
			Debug
			Diagnostic
			Verbose
			Info
			Warning
			Error
			Critical
-ConsoleLogFormat	-LogFormat	<LogFormat>	Sets the format of log messages written to the console
			Default: 0
			Possible values:
			Text
			TextWithTimestamp
			Json
-Verbose	-V	<SwitchParam>	Prints verbose messages
-Diagnostic	-vv	<SwitchParam>	Prints diagnostic messages
-HumanReadable		<SwitchParam>	Formats file sizes as human-readable values

Authentication

Name	Aliases	Value	Description
-Anonymous		<SwitchParam>	Uses anonymous login
-UserName	-u	<UserPrincipalName>	User name to authenticate with, not including the domain
-UserDomain	-ud	<String>	Domain of user to authenticate with
-Password	-p	<String>	Password to authenticate with
-NtlmHash		<hexadecimal hash>	NTLM hash for NTLM authentication

Authentication (Kerberos)

Name	Aliases	Value	Description
-AesKey		<HexString>	AES key (128 or 256)
-DesKey		<HexString>	DES key
-Tgt		<String>	Name of file containing a ticket-granting ticket (.kirbi or ccache)
-Tickets		<String[]>	Name of file containing service tickets (.kirbi or ccache)
-TicketCache		<String>	Name of ticket cache file
-K, -Kdc		<host-or-ip:port>	KDC endpoint
-S4UserName		<UserPrincipalName>	Name of user to impersonate with S4U
-U2UserName		<UserPrincipalName>	User name to request TGT for U2U
-S4UserCert		<String>	Name of file containing a certificate of a user to impersonate with S4U
-S4ProxyService		<SecurityPrincipalName>	Name of service to proxy through
-UserCert		<String>	Name of file containing user's certificate (for PKINIT)
-UserKey		<String>	Name of file containing user's key (for PKINIT)
-UserKeyPassword		<String>	Password to decrypt file containing user's key (for PKINIT)

Authentication (NTLM)

Name	Aliases	Value	Description
-Workstation	-w	<String>	Name of workstation to send with NTLM authentication
-NtlmVersion		<Version>	NTLM version number (a.b.c.d)

Connection

Name	Aliases	Value	Description
-HostAddress	-ha	<String[]>	Network address(es) of the server
-UseTcp6Only	-6	<SwitchParam>	Only use TCP over IPv6 endpoint
-UseTcp4Only	-4	<SwitchParam>	Only use TCP over IPv4 endpoint