T1187

Forced Authentication

Adversaries may gather credential material by forcing a user or system to automatically provide authentication information through SMB or WebDAV mechanisms they can intercept. When a Windows system connects to an SMB resource it automatically attempts to authenticate, sending hashed credentials to the remote system. Adversaries exploit this by placing malicious .SCF/.LNK files, Office documents with remote template injection, or exploiting the EfsRpcOpenFileRaw function (PetitPotam) to coerce NTLM authentication to attacker-controlled servers where NTLMv2 hashes can be captured and cracked offline.

Microsoft Sentinel / Defender

kusto

// Detection 1: Outbound SMB to external/untrusted IPs (port 445/139)
let InternalRanges = dynamic(["10.", "172.16.", "172.17.", "172.18.", "172.19.", "172.20.", "172.21.", "172.22.", "172.23.", "172.24.", "172.25.", "172.26.", "172.27.", "172.28.", "172.29.", "172.30.", "172.31.", "192.168.", "127.", "169.254."]);
let OfficeProcesses = dynamic(["winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "mspub.exe", "onenote.exe", "visio.exe"]);
let SmbPorts = dynamic([445, 139]);
// Part A: Office or browser process initiating outbound SMB to external IP
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort in (SmbPorts)
| where not(RemoteIP has_any (InternalRanges))
| where not(RemoteIP == "0.0.0.0" or RemoteIP == "255.255.255.255")
| extend IsOfficeProcess = InitiatingProcessFileName has_any (OfficeProcesses)
| extend IsExternalSMB = true
| project Timestamp, DeviceName, AccountName, RemoteIP, RemotePort,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          IsOfficeProcess, IsExternalSMB
| sort by Timestamp desc
| union (
// Part B: SCF or LNK files written to user-accessible paths (setup for credential harvesting)
DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName endswith ".scf" or FileName endswith ".lnk"
| where FolderPath has_any ("\\Desktop\\", "\\Downloads\\", "\\Documents\\", "\\Public\\", "\\Share\\", "\\Shares\\")
| extend IsOfficeProcess = InitiatingProcessFileName has_any (OfficeProcesses)
| project Timestamp, DeviceName, AccountName=RequestAccountName,
          RemoteIP = "", RemotePort = 0,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          IsOfficeProcess, IsExternalSMB = false
| sort by Timestamp desc
)
| union (
// Part C: NTLM auth to non-domain systems (Security Event 4648 - explicit credential logon)
SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4648
| where TargetServerName !endswith env_var("USERDNSDOMAIN") and TargetServerName != "localhost" and TargetServerName != "127.0.0.1"
| where LogonType == 3
| project Timestamp=TimeGenerated, DeviceName=Computer, AccountName=SubjectUserName,
          RemoteIP = IpAddress, RemotePort = 445,
          InitiatingProcessFileName = ProcessName, InitiatingProcessCommandLine = CommandLine,
          IsOfficeProcess = ProcessName has_any (OfficeProcesses), IsExternalSMB = true
| sort by Timestamp desc
)

high severity high confidence

Data Sources

Network Traffic: Network Connection Creation File: File Creation Logon Session: Logon Session Creation Microsoft Defender for Endpoint Windows Security Event Log

Required Tables

DeviceNetworkEvents DeviceFileEvents SecurityEvent

False Positives

Legitimate file shares accessed over SMB to non-RFC1918 IPs, such as hosted file storage services or MPLS partner networks with routable address space
Security scanning tools and vulnerability scanners initiating SMB connections to external hosts during authorized penetration testing
.LNK files created by legitimate application installers or shortcuts created by software deployment tools (SCCM, Intune) placed in shared directories
IT administrators manually connecting to external customer environments or remote support sessions using explicit credentials (Event ID 4648)
Backup agents and DFS replication connecting to remote file servers with non-RFC1918 addresses in hosted environments

Splunk

spl

| union
[
search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
  (DestinationPort=445 OR DestinationPort=139)
  NOT (DestinationIp="10.*" OR DestinationIp="172.16.*" OR DestinationIp="172.17.*"
       OR DestinationIp="172.18.*" OR DestinationIp="172.19.*" OR DestinationIp="172.20.*"
       OR DestinationIp="172.21.*" OR DestinationIp="172.22.*" OR DestinationIp="172.23.*"
       OR DestinationIp="172.24.*" OR DestinationIp="172.25.*" OR DestinationIp="172.26.*"
       OR DestinationIp="172.27.*" OR DestinationIp="172.28.*" OR DestinationIp="172.29.*"
       OR DestinationIp="172.30.*" OR DestinationIp="172.31.*"
       OR DestinationIp="192.168.*" OR DestinationIp="127.*" OR DestinationIp="169.254.*")
| eval detection_type="ExternalSMB"
| eval IsOfficeProcess=if(match(lower(Image), "(winword|excel|powerpnt|outlook|mspub|onenote|visio)\.exe"), 1, 0)
| eval severity=if(IsOfficeProcess=1, "critical", "high")
| table _time, host, User, Image, CommandLine, DestinationIp, DestinationPort, detection_type, IsOfficeProcess, severity
]
[
search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
  (TargetFilename="*.scf" OR TargetFilename="*.lnk")
  (TargetFilename="*\\Desktop\\*" OR TargetFilename="*\\Downloads\\*"
   OR TargetFilename="*\\Documents\\*" OR TargetFilename="*\\Public\\*"
   OR TargetFilename="*\\Share\\*" OR TargetFilename="*\\Shares\\*")
| eval detection_type="SuspiciousSCForLNK"
| eval IsOfficeProcess=if(match(lower(Image), "(winword|excel|powerpnt|outlook|mspub|onenote|visio)\.exe"), 1, 0)
| eval severity="high"
| table _time, host, User, Image, CommandLine, TargetFilename, detection_type, IsOfficeProcess, severity
]
[
search index=wineventlog sourcetype="WinEventLog:Security" EventCode=4648
  LogonType=3
  NOT (TargetServerName="localhost" OR TargetServerName="127.0.0.1")
| eval detection_type="ExplicitCredentialLogon"
| eval IsOfficeProcess=if(match(lower(ProcessName), "(winword|excel|powerpnt|outlook|mspub|onenote|visio)\.exe"), 1, 0)
| eval severity=if(IsOfficeProcess=1, "critical", "medium")
| table _time, host, SubjectUserName, ProcessName, TargetServerName, IpAddress, detection_type, IsOfficeProcess, severity
]
| sort - _time

high severity high confidence

Data Sources

Network Traffic: Network Connection Creation File: File Creation Logon Session: Logon Session Creation Sysmon Event ID 3 Sysmon Event ID 11 Windows Security Event ID 4648

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Legitimate file shares accessed over SMB to non-RFC1918 IPs in hosted or MPLS environments
Security scanning tools initiating authorized SMB connections to external targets during pentesting windows
.LNK files written by software deployment tools (SCCM, Intune) to user desktop or shared directories
IT administrators using explicit credentials for remote support sessions to external customer environments
Backup agents and DFS replication connecting to hosted file servers with public address space

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
[
  // Part A: Office/browser process initiating outbound SMB to external IP
  network where event.action == "connection_attempted"
    and destination.port in (445, 139)
    and not cidr_match(destination.ip, "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8", "169.254.0.0/16")
    and destination.ip != "0.0.0.0" and destination.ip != "255.255.255.255"
    and process.name in~ ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "mspub.exe", "onenote.exe", "visio.exe")
]
until [process where event.action == "end"]

// Part B: SCF or LNK file written to user-accessible path
sequence by host.name
[
  file where event.action in ("creation", "overwrite")
    and (file.extension == "scf" or file.extension == "lnk")
    and (
      file.path like~ "*\\Desktop\\*" or
      file.path like~ "*\\Downloads\\*" or
      file.path like~ "*\\Documents\\*" or
      file.path like~ "*\\Public\\*" or
      file.path like~ "*\\Share\\*" or
      file.path like~ "*\\Shares\\*"
    )
]

// Part C: Explicit credential logon (Event 4648) to external host
authentication where event.code == "4648"
  and winlog.event_data.LogonType == "3"
  and not winlog.event_data.TargetServerName in~ ("localhost", "127.0.0.1")
  and not winlog.event_data.TargetServerName like~ "*.yourdomain.com"

high severity high confidence

Data Sources

Elastic Endpoint Security Windows Security Event Logs Sysmon via Winlogbeat

Required Tables

logs-endpoint.events.network-* logs-endpoint.events.file-* winlogbeat-* logs-system.security*

False Positives

Legitimate backup or file-sync software (e.g., Veeam, DFS replication) making outbound SMB to partner sites or cloud storage endpoints
Security awareness phishing simulation platforms dropping .lnk files to user desktops as part of an authorized red team exercise
Domain-joined laptops roaming to external networks where automatic SMB connections to remembered file shares appear as external SMB attempts

IBM QRadar (AQL)

sql

-- Part A: External outbound SMB from Office processes (Sysmon Event 3)
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  destinationip,
  destinationport,
  username,
  "Image" AS process_name,
  "CommandLine" AS cmdline,
  'ExternalSMB_OfficeProcess' AS detection_type,
  CASE WHEN LOWER("Image") LIKE '%winword.exe%' OR LOWER("Image") LIKE '%excel.exe%'
       OR LOWER("Image") LIKE '%powerpnt.exe%' OR LOWER("Image") LIKE '%outlook.exe%'
       OR LOWER("Image") LIKE '%mspub.exe%' OR LOWER("Image") LIKE '%onenote.exe%'
       OR LOWER("Image") LIKE '%visio.exe%' THEN 'critical' ELSE 'high' END AS severity
FROM events
WHERE LOGSOURCETYPEID = 13 -- Microsoft Windows
  AND QIDNAME(qid) LIKE '%Sysmon%'
  AND CATEGORYNAME(category) LIKE '%Network%'
  AND (destinationport = 445 OR destinationport = 139)
  AND destinationip NOT LIKE '10.%'
  AND destinationip NOT LIKE '172.16.%' AND destinationip NOT LIKE '172.17.%'
  AND destinationip NOT LIKE '172.18.%' AND destinationip NOT LIKE '172.19.%'
  AND destinationip NOT LIKE '172.20.%' AND destinationip NOT LIKE '172.21.%'
  AND destinationip NOT LIKE '172.22.%' AND destinationip NOT LIKE '172.23.%'
  AND destinationip NOT LIKE '172.24.%' AND destinationip NOT LIKE '172.25.%'
  AND destinationip NOT LIKE '172.26.%' AND destinationip NOT LIKE '172.27.%'
  AND destinationip NOT LIKE '172.28.%' AND destinationip NOT LIKE '172.29.%'
  AND destinationip NOT LIKE '172.30.%' AND destinationip NOT LIKE '172.31.%'
  AND destinationip NOT LIKE '192.168.%'
  AND destinationip NOT LIKE '127.%'
  AND destinationip NOT LIKE '169.254.%'
  AND destinationip NOT IN ('0.0.0.0', '255.255.255.255')
  AND LOGSOURCETIME(devicetime) > NOW() - 1 HOURS
UNION ALL
-- Part B: SCF or LNK file creation in user-accessible paths (Sysmon Event 11)
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  '' AS destinationip,
  0 AS destinationport,
  username,
  "Image" AS process_name,
  "TargetFilename" AS cmdline,
  'SCForLNK_File_Created' AS detection_type,
  'high' AS severity
FROM events
WHERE LOGSOURCETYPEID = 13
  AND QIDNAME(qid) LIKE '%Sysmon%'
  AND ("TargetFilename" LIKE '%.scf' OR "TargetFilename" LIKE '%.lnk')
  AND (
    "TargetFilename" LIKE '%\Desktop\%' OR
    "TargetFilename" LIKE '%\Downloads\%' OR
    "TargetFilename" LIKE '%\Documents\%' OR
    "TargetFilename" LIKE '%\Public\%' OR
    "TargetFilename" LIKE '%\Share\%' OR
    "TargetFilename" LIKE '%\Shares\%'
  )
  AND LOGSOURCETIME(devicetime) > NOW() - 1 HOURS
UNION ALL
-- Part C: Explicit credential logon to non-domain systems (Security Event 4648)
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  sourceip AS destinationip,
  445 AS destinationport,
  username,
  "ProcessName" AS process_name,
  "ProcessName" AS cmdline,
  'ExplicitCredentialLogon_4648' AS detection_type,
  'medium' AS severity
FROM events
WHERE LOGSOURCETYPEID = 13
  AND eventid = 4648
  AND "LogonType" = '3'
  AND "TargetServerName" NOT IN ('localhost', '127.0.0.1')
  AND LOGSOURCETIME(devicetime) > NOW() - 1 HOURS
ORDER BY event_time DESC

high severity medium confidence

Data Sources

IBM QRadar SIEM Windows Sysmon via QRadar DSM Windows Security Event Log via QRadar DSM

Required Tables

events

False Positives

Enterprise software update mechanisms that use SMB-based distribution to off-premises staging servers (common with large patch management systems)
Helpdesk tools creating .lnk shortcuts on user desktops as part of automated deployment scripts during onboarding workflows
Users manually mapping drives to external contractor file shares, triggering Event 4648 explicit credential logons to non-domain servers

Sumo Logic CSE

sql

// Part A: External SMB from Office processes (Sysmon Event 3)
(_sourceCategory="windows/sysmon" OR _sourceCategory="WinEventLog/Sysmon")
| where EventID = "3"
| where DestinationPort = "445" OR DestinationPort = "139"
| where !(DestinationIp matches /^10\./ OR DestinationIp matches /^172\.(1[6-9]|2[0-9]|3[0-1])\./ OR DestinationIp matches /^192\.168\./ OR DestinationIp matches /^127\./ OR DestinationIp matches /^169\.254\./)
| where DestinationIp != "0.0.0.0" AND DestinationIp != "255.255.255.255"
| eval IsOfficeProcess = if (Image matches /(?i)(winword|excel|powerpnt|outlook|mspub|onenote|visio)\.exe/, "true", "false")
| eval severity = if (IsOfficeProcess = "true", "critical", "high")
| eval detection_type = "ExternalSMB"
| fields _messageTime, Computer, User, Image, CommandLine, DestinationIp, DestinationPort, IsOfficeProcess, severity, detection_type

// Part B: SCF or LNK file written to user directories (Sysmon Event 11)
// Run as separate query and union results in dashboard
(_sourceCategory="windows/sysmon" OR _sourceCategory="WinEventLog/Sysmon")
| where EventID = "11"
| where TargetFilename matches /(?i)\.(scf|lnk)$/
| where TargetFilename matches /(?i)\\(Desktop|Downloads|Documents|Public|Shares?)\\/
| eval IsOfficeProcess = if (Image matches /(?i)(winword|excel|powerpnt|outlook|mspub|onenote|visio)\.exe/, "true", "false")
| eval severity = "high"
| eval detection_type = "SuspiciousSCForLNK"
| fields _messageTime, Computer, User, Image, CommandLine, TargetFilename, IsOfficeProcess, severity, detection_type

// Part C: Explicit credential logon (Security Event 4648)
(_sourceCategory="windows/security" OR _sourceCategory="WinEventLog/Security")
| where EventID = "4648"
| where LogonType = "3"
| where TargetServerName != "localhost" AND TargetServerName != "127.0.0.1"
| where !(TargetServerName matches /(?i)\.yourdomain\.com$/)
| eval IsOfficeProcess = if (ProcessName matches /(?i)(winword|excel|powerpnt|outlook|mspub|onenote|visio)\.exe/, "true", "false")
| eval severity = if (IsOfficeProcess = "true", "critical", "medium")
| eval detection_type = "ExplicitCredentialLogon"
| fields _messageTime, Computer, SubjectUserName, ProcessName, TargetServerName, IpAddress, IsOfficeProcess, severity, detection_type
| sort by _messageTime desc

high severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Windows Sysmon via Sumo Logic Collector Windows Security Event Log via Sumo Logic Collector

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=windows/security

False Positives

Network printers or MFPs configured with UNC path scanning destinations that appear as external SMB from svchost or print spooler — validate by confirming destination is a known printer server
Automated LNK file creation by legitimate application installers writing shortcuts to the Desktop (e.g., Adobe, Zoom) during mass software deployment
VPN-connected users where internal IP space for branch offices falls outside the excluded RFC1918 ranges, causing legitimate file server connections to appear as external SMB

Google Chronicle / SecOps

yaral

rule t1187_forced_authentication_external_smb {
  meta:
    author = "df00tech"
    description = "Detects forced NTLM authentication coercion via external SMB connections from Office processes (T1187)"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1187"
    reference = "https://attack.mitre.org/techniques/T1187/"
    version = "1.0"

  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    $e.network.application_protocol != "DNS"
    (
      $e.target.port = 445 or
      $e.target.port = 139
    )
    // Exclude RFC1918 and link-local
    not net.ip_in_range_cidr($e.target.ip, "10.0.0.0/8")
    not net.ip_in_range_cidr($e.target.ip, "172.16.0.0/12")
    not net.ip_in_range_cidr($e.target.ip, "192.168.0.0/16")
    not net.ip_in_range_cidr($e.target.ip, "127.0.0.0/8")
    not net.ip_in_range_cidr($e.target.ip, "169.254.0.0/16")
    $e.principal.process.file.full_path = /(?i)(winword|excel|powerpnt|outlook|mspub|onenote|visio)\.exe$/

  condition:
    $e
}

rule t1187_forced_authentication_scf_lnk_drop {
  meta:
    author = "df00tech"
    description = "Detects .SCF or .LNK file creation in user-accessible directories — credential harvesting setup for forced NTLM authentication (T1187)"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1187"
    reference = "https://attack.mitre.org/techniques/T1187/"
    version = "1.0"

  events:
    $e.metadata.event_type = "FILE_CREATION"
    (
      $e.target.file.full_path = /(?i)\.scf$/ or
      $e.target.file.full_path = /(?i)\.lnk$/
    )
    (
      $e.target.file.full_path = /(?i)\\Desktop\\/ or
      $e.target.file.full_path = /(?i)\\Downloads\\/ or
      $e.target.file.full_path = /(?i)\\Documents\\/ or
      $e.target.file.full_path = /(?i)\\Public\\/ or
      $e.target.file.full_path = /(?i)\\Shares?\\/ 
    )

  condition:
    $e
}

rule t1187_forced_authentication_explicit_logon {
  meta:
    author = "df00tech"
    description = "Detects explicit NTLM credential use (Event 4648, LogonType 3) to non-domain, non-local systems — indicator of forced authentication or pass-the-hash (T1187)"
    severity = "MEDIUM"
    priority = "HIGH"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1187"
    reference = "https://attack.mitre.org/techniques/T1187/"
    version = "1.0"

  events:
    $e.metadata.event_type = "USER_LOGIN"
    $e.metadata.product_event_type = "4648"
    $e.network.session_id != ""
    not $e.target.hostname = /(?i)\.yourdomain\.com$/
    not $e.target.hostname = "localhost"
    not $e.target.ip = "127.0.0.1"
    $e.extensions.auth.auth_details = "3"  // LogonType 3 = Network

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle SIEM Google Chronicle UDM Windows Event Forwarding to Chronicle Sysmon via Chronicle forwarder

Required Tables

UDM Events - NETWORK_CONNECTION UDM Events - FILE_CREATION UDM Events - USER_LOGIN

False Positives

Security scanning tools (Nessus, Qualys) performing authenticated SMB scans to external network segments that have been classified incorrectly as outside internal ranges in Chronicle's asset context
IT administrators using runas /netonly to connect to external partner file shares for legitimate data exchange — triggers Event 4648 with LogonType 3 to non-domain hosts
Application deployment tools creating .lnk shortcut files en masse on workstations during software rollout, generating high-volume file creation events from SYSTEM or installer processes

CrowdStrike LogScale (CQL)

cql

// Part A: External SMB from Office processes (NetworkConnectIP4)
#event_simpleName="NetworkConnectIP4"
| RemotePort in [445, 139]
// Exclude RFC1918 — LogScale uses cidr() function
| !cidr(RemoteIP, subnet=["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8", "169.254.0.0/16"])
| RemoteIP != "0.0.0.0" RemoteIP != "255.255.255.255"
| regex("(?i)(winword|excel|powerpnt|outlook|mspub|onenote|visio)\.exe", field=ImageFileName, strict=false)
| eval(detection_type="ExternalSMB_OfficeProcess")
| eval(severity="critical")
| table([#event_simpleName, ComputerName, UserName, ImageFileName, CommandLine, RemoteIP, RemotePort, detection_type, severity, @timestamp])
| sort(@timestamp, order=desc)

// Part B: SCF or LNK file creation in user paths (Sysmon-style via CrowdStrike file events)
// CrowdStrike uses #event_simpleName=CreateExecutionHistory or WriteExecutionHistory for file writes
// Use PeCreateProcessNotifyRoutine events or MotionEvent for file-write telemetry
#event_simpleName="PeFileWritten"
| regex("(?i)\.(scf|lnk)$", field=TargetFileName, strict=false)
| regex("(?i)\\\\(Desktop|Downloads|Documents|Public|Shares?)\\\\" , field=TargetFileName, strict=false)
| eval(detection_type="SCForLNK_Drop")
| eval(severity="high")
| table([#event_simpleName, ComputerName, UserName, ImageFileName, CommandLine, TargetFileName, detection_type, severity, @timestamp])
| sort(@timestamp, order=desc)

// Part C: Explicit credential logon to external host (map from UserLogon2)
// CrowdStrike Event: UserLogon / UserLogon2 with LogonType=3
#event_simpleName=UserLogon
| LogonType=3
| RemoteIP != "127.0.0.1" RemoteIP != ""
| !cidr(RemoteIP, subnet=["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"])
| eval(detection_type="ExternalNTLMLogon")
| eval(severity="high")
| table([#event_simpleName, ComputerName, UserName, LogonType, RemoteIP, AuthenticationPackage, detection_type, severity, @timestamp])
| sort(@timestamp, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Sensor CrowdStrike LogScale (Humio) Falcon Real-Time Response telemetry

Required Tables

NetworkConnectIP4 PeFileWritten UserLogon UserLogon2

False Positives

CrowdStrike sensors on development workstations where developers run SMB-connected build caches or artifact repositories hosted on cloud VMs with public IPs (common in CI/CD workflows)
Automated LNK file generators used by enterprise desktop management tools (e.g., Microsoft Endpoint Configuration Manager) writing application shortcuts to user Desktop paths at scale
Managed service providers accessing client environments via explicit NTLM credentials to non-domain administrative shares, generating UserLogon events with external IPs during routine maintenance windows

Last updated: 2026-04-18 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1187 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Forced Authentication

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Credential Access

Popular Detections