Coerced Authentication

The initial reconnaissance and setup phase requires minimal resources but careful planning. The attack requires only a low-privileged domain user account, which can often be obtained through means such as password spraying, credential theft, or social engineering attacks. During this phase, the attacker conducts network reconnaissance to identify target domain controllers running LDAP or LDAPS services, typically scanning ports (389 or 636) or using tools like NetExec with the module ldap-checker to verify if LDAP or LDAPS  service is running and requires channel binding or not.

  1. Password cracking
  2. Credentials relay (NTLM/Kerberos relay)

Our research and analysis have identified several specific technical indicators that can reliably detect exploitation attempts targeting this vulnerability. These indicators represent unique fingerprints left by the attack methodology and provide high-confidence detection opportunities:

  1. “Printer Bug”: Discovered by Lee Christensen from SpecterOps in 2018, this vulnerability in the print spooler service enables attackers to trigger authentication by a remote host’s computer account. If the remote machine is privileged (e.g., a domain controller), that authentication can be relayed and the computer account privileges are used. This is often chained with NTLM relay attacks against Active Directory Certificate Services (AD CS) for domain compromise.
  2. PetitPotam: This is a similar coercion technique that exploits the MS-EFSRPC protocol to force Windows hosts to authenticate to arbitrary targets.

This manipulation effectively bypasses multiple layers of security controls, including channel binding mechanisms and signing requirements that would normally prevent such attacks.

Understanding CVE-2025-54918

CVE-2025-54918 represents a critical security vulnerability that combines coercion techniques with NTLM relay manipulation to achieve domain controller compromise. Attackers can leverage a coercion attack (e.g., the Printer Bug exploit) to initiate an authentication attempt from the domain controller, then modify some fields in the authentication packets and relay this authentication to gain elevated privileges. The attack is particularly concerning as it bypasses traditional security controls like channel binding and LDAP signing requirements, making it effective even in environments with standard hardening measures in place.

Technical Attack Flow

Preparation

Upon successful completion of the relay attack, the attacker achieves SYSTEM-level access to the domain controller, representing the highest possible privilege level on the system. This escalation effectively bypasses multiple traditional security controls that organizations typically rely upon for protection:
The LDAP/LDAPS protocol provides the necessary interface for the attacker to execute privileged operations once authentication succeeds.

Coercion

To implement this detection capability, customers must manually enable the CRT through Falcon Next-Gen SIEM by navigating to NGS -> Monitor and investigate -> Rules -> Templates and searching for the relevant CRT: “CrowdStrike – Identity – Unusual NTLM LDAP Authentication Pattern (CVE-2025-54918)”
Falcon Next-Gen Identity Security provides insights into Active Directory environment configurations, surfacing critical security risks that could enable NTLM relay attacks. It continuously monitors and assesses AD security posture, identifying misconfigurations such as disabled SMB signing, inadequate LDAP signing settings, missing LDAPS channel binding implementations, and Print Spooler service running. These insights enable security teams to proactively address configuration weaknesses before they can be exploited.

  • Empty username fields that indicate the authentication is originating from a SYSTEM account
  • LOCAL_CALL flag set in the NTLM negotiation, signifying that the authentication request is being treated as a local system call
  • SEAL and SIGN flags are set in the NTLM negotiation, indicating the authentication session requires message signing and sealing
  • The authentication attempt uses the domain controller’s machine account credentials

Authentication Manipulation

Through CrowdStrike’s integrated security ecosystem, organizations can detect, prevent, and respond to exploitation attempts of CVE-2025-54918 and similar threats, supporting efforts to secure their Active Directory environments. 

  • Removes SEAL flag: This eliminates the requirement for message encryption, allowing the attacker to process and relay the authentication in plaintext
  • Removes SIGN flag: This bypasses message integrity verification, preventing the domain controller from detecting that the authentication has been tampered with
  • Preserves LOCAL_CALL flag: This crucial flag must remain intact as it signals to the receiving system that the authentication should be treated as a local system call rather than a remote network authentication

The Falcon platform provides comprehensive protection capabilities that directly address these mitigation strategies.

Relay Attack Execution

The coercion phase exploits the well-documented Printer Bug vulnerability through the Microsoft Print System Remote Protocol (MS-RPRN) interface. The attacker uses this remote protocol to establish a connection with the target domain controller’s print spooler service, which runs with SYSTEM privileges. 

  • The preserved LOCAL_CALL flag convinces the authentication subsystem that this is a local system call
  • The modified security flags allow for unsigned communication, bypassing normal security verification processes
  • The empty username field is indicating the authentication is originating from a SYSTEM account

Coerced authentication is a procedure where attackers trigger a remote authentication to a compromised machine. When the attackers capture the network login on the compromised machine, they can use this authentication to perform:

Privilege Escalation

The attacker then establishes a malicious listener infrastructure on a system they control that has connectivity to the target domain controller, configuring it to capture and manipulate incoming NTLM authentication attempts. This listener must be positioned to intercept network traffic and be able to modify authentication packets in real time.

  • Channel binding: Normally prevents authentication relay attacks by cryptographically binding the authentication to the specific network channel
  • LDAP signing requirements: Usually ensures all LDAP communications are digitally signed to prevent tampering

With SYSTEM-level access achieved, the attacker gains complete control over the domain controller, enabling them to perform any administrative action including creating new accounts, modifying group memberships, accessing sensitive data, and potentially compromising the entire Active Directory forest.

Detection Strategy and Technical Analysis

Two well-known examples of authentication coercion attacks are:
CVE-2025-54918 represents a significant threat to organizations by potentially allowing attackers to compromise entire Active Directory environments from a single low-privileged account. Understanding and detecting this attack vector is crucial to maintain security integrity. 

Technical Indicators and Forensic Artifacts

During this critical phase, the attacker intercepts the domain controller’s authentication attempt using their malicious listener infrastructure. The attacker then performs manipulation of the NTLM authentication packet structure, specifically targeting the security flags that govern the authentication process. The manipulation involves removing specific security flags while preserving others:

  • Empty username fields in NTLM authentication attempts: This represents one of the most distinctive indicators of the attack, as legitimate user authentication processes typically include populated username fields. The presence of empty username fields in network authentication attempts should trigger immediate investigation.
  • LOCAL_CALL flag presence: The detection of LOCAL_CALL flags in authentication traffic provides a strong indicator of potential exploitation, as this flag should typically only appear in genuine local system authentication contexts, not in network-based authentication scenarios.
  • Modified SEAL and SIGN flags: Monitoring for authentication packets where these critical security flags have been removed or altered indicates potential tampering and relay attack activity. The absence of these flags in contexts where they should be present represents a clear security violation.
  • LDAP/LDAPS protocol usage: Unusual patterns in LDAP or LDAPS protocol utilization, particularly when correlated with the other indicators, can help identify exploitation attempts. Organizations should monitor for unexpected LDAP or LDAPS connections and authentication patterns.

Falcon Exposure Management delivers critical visibility for patch management initiatives, enabling organizations to rapidly identify vulnerable systems and prioritize remediation efforts based on actual risk exposure. This capability is essential for implementing the first mitigation strategy effectively, allowing critical patches like the CVE-2025-54918 fix to be deployed systematically across the enterprise.
The comprehensive Falcon platform provides multiple layers of protection:

Mitigation and Protection Strategies

Building upon our research findings, we have developed a specialized correlation rule template (CRT) signature leveraging Falcon platform identity data within Falcon Next-Gen SIEM that can specifically help identify potential CVE-2025-54918 exploitation attempts. Our internal research demonstrates that this signature employs correlation logic that analyzes the technical indicators mentioned above, providing organizations with the tools to support an automated detection capability for this sophisticated attack vector. The CRT signature focuses on identifying combinations of these technical indicators within specific timeframes, enabling security teams to detect exploitation attempts with high confidence while minimizing false positive alerts.
By sending a specially crafted RPC call to the print spooler (RpcRemoteFindFirstPrinterChangeNotificationEx), the attacker forces the domain controller to initiate an outbound authentication attempt to the attacker-controlled system. This coerced authentication attempt carries distinctive characteristics that are crucial for the subsequent exploitation phases:
Security teams must configure their monitoring infrastructure to capture and analyze NTLM authentication traffic, particularly focusing on communications involving LDAP/LDAPS protocols. This comprehensive approach ensures exploitation attempts can be identified through specific technical indicators before they result in successful privilege escalation.
The modified authentication packet is then strategically relayed back to the originating domain controller using the LDAP/LDAPS protocol as the relay target. This creates a man-in-the-middle scenario where the domain controller unknowingly authenticates against itself through the attacker’s infrastructure. The domain controller processes this relayed authentication as a legitimate local authentication due to several factors:

Conclusion

Beyond configuration assessment, Falcon Next-Gen Identity Security delivers account activity monitoring, including detailed NTLM authentication tracking and behavioral analysis. The platform provides specialized NTLM relay detection capabilities that can identify suspicious authentication patterns and potential relay attack attempts in real time.
Detecting CVE-2025-54918 exploitation attempts requires implementing a multi-layered monitoring strategy that focuses on anomalous authentication patterns within Active Directory environments. The sophisticated nature of this vulnerability demands advanced detection techniques that go beyond traditional signature-based approaches.

  • Proactive detection through Falcon Next-Gen SIEM
  • Expert threat hunting through CrowdStrike Falcon® Adversary OverWatch™

CVE-2025-54918 represents a new evolution in these attack techniques, combining NTLM relay manipulation with authentication coercion to bypass even robust security controls, making it particularly dangerous in modern Active Directory environments.

Similar Posts