To coerce NTLM authentication to a compromised host:
Assuming access to an email inbox (e.g. Outlook), send the target client an email containing a 1x1 image (or modify sender’s signature to sneak it into legitimate emails):
Shortcut file
Send the target client a shortcut file with an icon on a remote compromised host (UNC path). A authentication request to download the icon gets triggered whenever the file is shown in File Explorer (no click required).
Trigger Remote Authentication
Use certain tools to make computer accounts authenticate to a server (typically uses RPC protocols for printing and EFS) e.g.: