Researchers have uncovered an upsurge in authentication coercion cyber-attacks that abuse Windows Remote Procedure Call (RPC) mechanisms that force systems into sending their credentials to an attacker-controlled system.
You can find out more via this Palo Alto Unit 42 Blog post: https://unit42.paloaltonetworks.com/authentication-coercion/
Jim Routh, Chief Trust Officer at Saviynt, commented:
“Authentication coercion attacks represent a particularly challenging attack vector for enterprises that rely on extensive use of Microsoft architecture and products. These attacks enable lateral movement with limited visibility for the enterprise. There are several remediation steps recommended that generally require strict adherence to limits in how RPC (remote procedure call) is used within the enterprise. The larger and more complex the enterprise, the more difficult it is to enforce the limitations of RPC.
“Enterprises should consider more maturity in how privileged access management (PAM) works, including the use of continuous validation techniques that compare attributes from data streams to established patterns. These techniques measure the deviation from the established pattern mathematically. The deviation threshold (number or score) can trigger automated workflows that restrict access (lateral movement) within milliseconds of an attack attempt. This type of capability is not dependent on humans to detect the threats. It is similar to the way our body’s immune system operates when exposed to bacteria or a virus. Our body’s immune system automatically produces white blood cells and antibodies to attack the bacterial infection. Continuous validation techniques represent a digital immune system response that can take action in milliseconds when lateral movement is automatically identified.”
This is another big hint that organizations need to look at making sure that users are only able to do what they need to do and nothing more. That would make attacks like these way less effective.
Like this:
Like Loading...
Related
This entry was posted on November 12, 2025 at 3:42 pm and is filed under Commentary with tags Palo Alto. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Authentication Coercion Attacks Abuse Windows to Force Systems into Sending Credentials
Researchers have uncovered an upsurge in authentication coercion cyber-attacks that abuse Windows Remote Procedure Call (RPC) mechanisms that force systems into sending their credentials to an attacker-controlled system.
You can find out more via this Palo Alto Unit 42 Blog post: https://unit42.paloaltonetworks.com/authentication-coercion/
Jim Routh, Chief Trust Officer at Saviynt, commented:
“Authentication coercion attacks represent a particularly challenging attack vector for enterprises that rely on extensive use of Microsoft architecture and products. These attacks enable lateral movement with limited visibility for the enterprise. There are several remediation steps recommended that generally require strict adherence to limits in how RPC (remote procedure call) is used within the enterprise. The larger and more complex the enterprise, the more difficult it is to enforce the limitations of RPC.
“Enterprises should consider more maturity in how privileged access management (PAM) works, including the use of continuous validation techniques that compare attributes from data streams to established patterns. These techniques measure the deviation from the established pattern mathematically. The deviation threshold (number or score) can trigger automated workflows that restrict access (lateral movement) within milliseconds of an attack attempt. This type of capability is not dependent on humans to detect the threats. It is similar to the way our body’s immune system operates when exposed to bacteria or a virus. Our body’s immune system automatically produces white blood cells and antibodies to attack the bacterial infection. Continuous validation techniques represent a digital immune system response that can take action in milliseconds when lateral movement is automatically identified.”
This is another big hint that organizations need to look at making sure that users are only able to do what they need to do and nothing more. That would make attacks like these way less effective.
Share this:
Like this:
Related
This entry was posted on November 12, 2025 at 3:42 pm and is filed under Commentary with tags Palo Alto. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.