T1187 Google Chronicle · YARA-L

Detect Forced Authentication in Google Chronicle

Adversaries may gather credential material by forcing a user or system to automatically provide authentication information through SMB or WebDAV mechanisms they can intercept. When a Windows system connects to an SMB resource it automatically attempts to authenticate, sending hashed credentials to the remote system. Adversaries exploit this by placing malicious .SCF/.LNK files, Office documents with remote template injection, or exploiting the EfsRpcOpenFileRaw function (PetitPotam) to coerce NTLM authentication to attacker-controlled servers where NTLMv2 hashes can be captured and cracked offline.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1187 Forced Authentication
Canonical reference
https://attack.mitre.org/techniques/T1187/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1187_forced_authentication_external_smb {
  meta:
    author = "df00tech"
    description = "Detects forced NTLM authentication coercion via external SMB connections from Office processes (T1187)"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1187"
    reference = "https://attack.mitre.org/techniques/T1187/"
    version = "1.0"

  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    $e.network.application_protocol != "DNS"
    (
      $e.target.port = 445 or
      $e.target.port = 139
    )
    // Exclude RFC1918 and link-local
    not net.ip_in_range_cidr($e.target.ip, "10.0.0.0/8")
    not net.ip_in_range_cidr($e.target.ip, "172.16.0.0/12")
    not net.ip_in_range_cidr($e.target.ip, "192.168.0.0/16")
    not net.ip_in_range_cidr($e.target.ip, "127.0.0.0/8")
    not net.ip_in_range_cidr($e.target.ip, "169.254.0.0/16")
    $e.principal.process.file.full_path = /(?i)(winword|excel|powerpnt|outlook|mspub|onenote|visio)\.exe$/

  condition:
    $e
}

rule t1187_forced_authentication_scf_lnk_drop {
  meta:
    author = "df00tech"
    description = "Detects .SCF or .LNK file creation in user-accessible directories — credential harvesting setup for forced NTLM authentication (T1187)"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1187"
    reference = "https://attack.mitre.org/techniques/T1187/"
    version = "1.0"

  events:
    $e.metadata.event_type = "FILE_CREATION"
    (
      $e.target.file.full_path = /(?i)\.scf$/ or
      $e.target.file.full_path = /(?i)\.lnk$/
    )
    (
      $e.target.file.full_path = /(?i)\\Desktop\\/ or
      $e.target.file.full_path = /(?i)\\Downloads\\/ or
      $e.target.file.full_path = /(?i)\\Documents\\/ or
      $e.target.file.full_path = /(?i)\\Public\\/ or
      $e.target.file.full_path = /(?i)\\Shares?\\/ 
    )

  condition:
    $e
}

rule t1187_forced_authentication_explicit_logon {
  meta:
    author = "df00tech"
    description = "Detects explicit NTLM credential use (Event 4648, LogonType 3) to non-domain, non-local systems — indicator of forced authentication or pass-the-hash (T1187)"
    severity = "MEDIUM"
    priority = "HIGH"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1187"
    reference = "https://attack.mitre.org/techniques/T1187/"
    version = "1.0"

  events:
    $e.metadata.event_type = "USER_LOGIN"
    $e.metadata.product_event_type = "4648"
    $e.network.session_id != ""
    not $e.target.hostname = /(?i)\.yourdomain\.com$/
    not $e.target.hostname = "localhost"
    not $e.target.ip = "127.0.0.1"
    $e.extensions.auth.auth_details = "3"  // LogonType 3 = Network

  condition:
    $e
}
high severity high confidence

Three YARA-L 2.0 rules for Google Chronicle covering forced NTLM authentication coercion (T1187). Rule 1 fires when Office processes make outbound SMB connections to external (non-RFC1918) IPs, using net.ip_in_range_cidr() for accurate CIDR exclusions. Rule 2 fires on .SCF or .LNK file creation in user-accessible directories. Rule 3 fires on Windows Security Event 4648 (explicit credential logon) with LogonType 3 to non-domain targets. Deploy all three rules; correlate alerts by principal.hostname for multi-stage campaign detection.

Data Sources

Google Chronicle SIEMGoogle Chronicle UDMWindows Event Forwarding to ChronicleSysmon via Chronicle forwarder

Required Tables

UDM Events - NETWORK_CONNECTIONUDM Events - FILE_CREATIONUDM Events - USER_LOGIN

False Positives & Tuning

  • Security scanning tools (Nessus, Qualys) performing authenticated SMB scans to external network segments that have been classified incorrectly as outside internal ranges in Chronicle's asset context
  • IT administrators using runas /netonly to connect to external partner file shares for legitimate data exchange — triggers Event 4648 with LogonType 3 to non-domain hosts
  • Application deployment tools creating .lnk shortcut files en masse on workstations during software rollout, generating high-volume file creation events from SYSTEM or installer processes
Download portable Sigma rule (.yml)

Other platforms for T1187

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1SMB Forced Authentication via SCF File

    Expected signal: Sysmon Event ID 11 (File Create): TargetFilename contains '@desktop.scf' in Desktop path. Sysmon Event ID 3 (Network Connection): from explorer.exe to 127.0.0.1:445 when folder is browsed. Windows Security Event ID 4648 if authentication is attempted. The file creation from cmd.exe is itself suspicious and should trigger the SCF detection rule.

  2. Test 2Forced SMB Authentication via PowerShell Net.WebClient UNC Request

    Expected signal: Sysmon Event ID 1 (Process Create): Image=powershell.exe with CommandLine containing 'WebClient' and '127.0.0.1'. Sysmon Event ID 3 (Network Connection): from powershell.exe to 127.0.0.1:445. Windows Security Event ID 4648 on the local system for the attempted explicit credential usage. PowerShell ScriptBlock Log Event ID 4104 with the full script content.

  3. Test 3Malicious LNK File with External UNC Icon Reference

    Expected signal: Sysmon Event ID 11 (File Create): TargetFilename contains 'argus-test.lnk' in Desktop path, created by powershell.exe. Sysmon Event ID 1 for powershell.exe with CreateShortcut and IconLocation in CommandLine. Sysmon Event ID 3 when Desktop folder is browsed: explorer.exe connecting to 127.0.0.1:445 to resolve the icon UNC path. Security Event ID 4648 for the NTLM auth attempt.

  4. Test 4PetitPotam EfsRpcOpenFileRaw Coerce Authentication (Simulated)

    Expected signal: Sysmon Event ID 1 (Process Create): powershell.exe with Add-Type and RpcBindingFromStringBinding in CommandLine. Windows Security Event ID 4688 (if command line auditing enabled). In a full PetitPotam execution: Security Event ID 4648 on the target DC, followed by Event ID 4624 Logon Type 3 from the coerced machine account, then network events from the DC machine account connecting outbound to the attacker listener on port 445.

Last updated: 2026-04-18 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1187 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1221Template InjectionT1566.001Spearphishing AttachmentT1557Adversary-in-the-MiddleT1110Brute ForceT1558.003KerberoastingT1550.002Pass the HashT1078Valid AccountsT1003OS Credential DumpingT1071.002File Transfer Protocols

Same Tactic: Credential Access

Popular Detections