Detect Forced Authentication in Elastic Security
Adversaries may gather credential material by forcing a user or system to automatically provide authentication information through SMB or WebDAV mechanisms they can intercept. When a Windows system connects to an SMB resource it automatically attempts to authenticate, sending hashed credentials to the remote system. Adversaries exploit this by placing malicious .SCF/.LNK files, Office documents with remote template injection, or exploiting the EfsRpcOpenFileRaw function (PetitPotam) to coerce NTLM authentication to attacker-controlled servers where NTLMv2 hashes can be captured and cracked offline.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1187 Forced Authentication
- Canonical reference
- https://attack.mitre.org/techniques/T1187/
Elastic Detection Query
sequence by host.name with maxspan=5m
[
// Part A: Office/browser process initiating outbound SMB to external IP
network where event.action == "connection_attempted"
and destination.port in (445, 139)
and not cidr_match(destination.ip, "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8", "169.254.0.0/16")
and destination.ip != "0.0.0.0" and destination.ip != "255.255.255.255"
and process.name in~ ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "mspub.exe", "onenote.exe", "visio.exe")
]
until [process where event.action == "end"]
// Part B: SCF or LNK file written to user-accessible path
sequence by host.name
[
file where event.action in ("creation", "overwrite")
and (file.extension == "scf" or file.extension == "lnk")
and (
file.path like~ "*\\Desktop\\*" or
file.path like~ "*\\Downloads\\*" or
file.path like~ "*\\Documents\\*" or
file.path like~ "*\\Public\\*" or
file.path like~ "*\\Share\\*" or
file.path like~ "*\\Shares\\*"
)
]
// Part C: Explicit credential logon (Event 4648) to external host
authentication where event.code == "4648"
and winlog.event_data.LogonType == "3"
and not winlog.event_data.TargetServerName in~ ("localhost", "127.0.0.1")
and not winlog.event_data.TargetServerName like~ "*.yourdomain.com"Detects forced authentication attacks (T1187) via three patterns: (A) Office applications initiating outbound SMB connections to external IPs — a strong signal of malicious document with remote template injection or embedded UNC path; (B) creation of .SCF or .LNK files in user-accessible directories that auto-trigger SMB authentication when browsed; (C) Windows Security Event 4648 indicating explicit NTLM credential use to non-domain, non-local systems. Covers PetitPotam coercion, SCF drop, and Office document UNC injection vectors.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate backup or file-sync software (e.g., Veeam, DFS replication) making outbound SMB to partner sites or cloud storage endpoints
- Security awareness phishing simulation platforms dropping .lnk files to user desktops as part of an authorized red team exercise
- Domain-joined laptops roaming to external networks where automatic SMB connections to remembered file shares appear as external SMB attempts
Other platforms for T1187
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1SMB Forced Authentication via SCF File
Expected signal: Sysmon Event ID 11 (File Create): TargetFilename contains '@desktop.scf' in Desktop path. Sysmon Event ID 3 (Network Connection): from explorer.exe to 127.0.0.1:445 when folder is browsed. Windows Security Event ID 4648 if authentication is attempted. The file creation from cmd.exe is itself suspicious and should trigger the SCF detection rule.
- Test 2Forced SMB Authentication via PowerShell Net.WebClient UNC Request
Expected signal: Sysmon Event ID 1 (Process Create): Image=powershell.exe with CommandLine containing 'WebClient' and '127.0.0.1'. Sysmon Event ID 3 (Network Connection): from powershell.exe to 127.0.0.1:445. Windows Security Event ID 4648 on the local system for the attempted explicit credential usage. PowerShell ScriptBlock Log Event ID 4104 with the full script content.
- Test 3Malicious LNK File with External UNC Icon Reference
Expected signal: Sysmon Event ID 11 (File Create): TargetFilename contains 'argus-test.lnk' in Desktop path, created by powershell.exe. Sysmon Event ID 1 for powershell.exe with CreateShortcut and IconLocation in CommandLine. Sysmon Event ID 3 when Desktop folder is browsed: explorer.exe connecting to 127.0.0.1:445 to resolve the icon UNC path. Security Event ID 4648 for the NTLM auth attempt.
- Test 4PetitPotam EfsRpcOpenFileRaw Coerce Authentication (Simulated)
Expected signal: Sysmon Event ID 1 (Process Create): powershell.exe with Add-Type and RpcBindingFromStringBinding in CommandLine. Windows Security Event ID 4688 (if command line auditing enabled). In a full PetitPotam execution: Security Event ID 4648 on the target DC, followed by Event ID 4624 Logon Type 3 from the coerced machine account, then network events from the DC machine account connecting outbound to the attacker listener on port 445.
References (10)
- https://attack.mitre.org/techniques/T1187/
- https://www.rapid7.com/blog/post/2021/08/03/petitpotam-novel-attack-chain-can-fully-compromise-windows-domains-running-ad-cs/
- https://github.com/topotam/PetitPotam
- https://www.cylance.com/content/dam/cylance/pdfs/white_papers/RedirectToSMB.pdf
- https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/
- https://blog.didierstevens.com/2017/11/13/webdav-traffic-to-malicious-sites/
- https://github.com/hob0/hashjacking
- https://www.us-cert.gov/ncas/alerts/TA17-293A
- https://en.wikipedia.org/wiki/Server_Message_Block
- https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain
Unlock Pro Content
Get the full detection package for T1187 including response playbook, investigation guide, and atomic red team tests.