T1187 CrowdStrike LogScale · LogScale

Detect Forced Authentication in CrowdStrike LogScale

Adversaries may gather credential material by forcing a user or system to automatically provide authentication information through SMB or WebDAV mechanisms they can intercept. When a Windows system connects to an SMB resource it automatically attempts to authenticate, sending hashed credentials to the remote system. Adversaries exploit this by placing malicious .SCF/.LNK files, Office documents with remote template injection, or exploiting the EfsRpcOpenFileRaw function (PetitPotam) to coerce NTLM authentication to attacker-controlled servers where NTLMv2 hashes can be captured and cracked offline.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1187 Forced Authentication
Canonical reference
https://attack.mitre.org/techniques/T1187/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// Part A: External SMB from Office processes (NetworkConnectIP4)
#event_simpleName="NetworkConnectIP4"
| RemotePort in [445, 139]
// Exclude RFC1918 — LogScale uses cidr() function
| !cidr(RemoteIP, subnet=["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8", "169.254.0.0/16"])
| RemoteIP != "0.0.0.0" RemoteIP != "255.255.255.255"
| regex("(?i)(winword|excel|powerpnt|outlook|mspub|onenote|visio)\.exe", field=ImageFileName, strict=false)
| eval(detection_type="ExternalSMB_OfficeProcess")
| eval(severity="critical")
| table([#event_simpleName, ComputerName, UserName, ImageFileName, CommandLine, RemoteIP, RemotePort, detection_type, severity, @timestamp])
| sort(@timestamp, order=desc)

// Part B: SCF or LNK file creation in user paths (Sysmon-style via CrowdStrike file events)
// CrowdStrike uses #event_simpleName=CreateExecutionHistory or WriteExecutionHistory for file writes
// Use PeCreateProcessNotifyRoutine events or MotionEvent for file-write telemetry
#event_simpleName="PeFileWritten"
| regex("(?i)\.(scf|lnk)$", field=TargetFileName, strict=false)
| regex("(?i)\\\\(Desktop|Downloads|Documents|Public|Shares?)\\\\" , field=TargetFileName, strict=false)
| eval(detection_type="SCForLNK_Drop")
| eval(severity="high")
| table([#event_simpleName, ComputerName, UserName, ImageFileName, CommandLine, TargetFileName, detection_type, severity, @timestamp])
| sort(@timestamp, order=desc)

// Part C: Explicit credential logon to external host (map from UserLogon2)
// CrowdStrike Event: UserLogon / UserLogon2 with LogonType=3
#event_simpleName=UserLogon
| LogonType=3
| RemoteIP != "127.0.0.1" RemoteIP != ""
| !cidr(RemoteIP, subnet=["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"])
| eval(detection_type="ExternalNTLMLogon")
| eval(severity="high")
| table([#event_simpleName, ComputerName, UserName, LogonType, RemoteIP, AuthenticationPackage, detection_type, severity, @timestamp])
| sort(@timestamp, order=desc)
high severity medium confidence

Three-part CrowdStrike LogScale (CQL/Falcon) detection for T1187 forced NTLM authentication coercion. Part A uses NetworkConnectIP4 events to catch Office applications initiating outbound SMB to external IPs, using cidr() for accurate RFC1918 exclusion. Part B uses PeFileWritten events to detect .SCF and .LNK file creation in user-browsable directories. Part C uses UserLogon events with LogonType=3 to identify explicit NTLM authentication to external hosts. Requires Falcon sensor with full network telemetry and LogScale SIEM ingestion.

Data Sources

CrowdStrike Falcon Endpoint SensorCrowdStrike LogScale (Humio)Falcon Real-Time Response telemetry

Required Tables

NetworkConnectIP4PeFileWrittenUserLogonUserLogon2

False Positives & Tuning

  • CrowdStrike sensors on development workstations where developers run SMB-connected build caches or artifact repositories hosted on cloud VMs with public IPs (common in CI/CD workflows)
  • Automated LNK file generators used by enterprise desktop management tools (e.g., Microsoft Endpoint Configuration Manager) writing application shortcuts to user Desktop paths at scale
  • Managed service providers accessing client environments via explicit NTLM credentials to non-domain administrative shares, generating UserLogon events with external IPs during routine maintenance windows
Download portable Sigma rule (.yml)

Other platforms for T1187

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1SMB Forced Authentication via SCF File

    Expected signal: Sysmon Event ID 11 (File Create): TargetFilename contains '@desktop.scf' in Desktop path. Sysmon Event ID 3 (Network Connection): from explorer.exe to 127.0.0.1:445 when folder is browsed. Windows Security Event ID 4648 if authentication is attempted. The file creation from cmd.exe is itself suspicious and should trigger the SCF detection rule.

  2. Test 2Forced SMB Authentication via PowerShell Net.WebClient UNC Request

    Expected signal: Sysmon Event ID 1 (Process Create): Image=powershell.exe with CommandLine containing 'WebClient' and '127.0.0.1'. Sysmon Event ID 3 (Network Connection): from powershell.exe to 127.0.0.1:445. Windows Security Event ID 4648 on the local system for the attempted explicit credential usage. PowerShell ScriptBlock Log Event ID 4104 with the full script content.

  3. Test 3Malicious LNK File with External UNC Icon Reference

    Expected signal: Sysmon Event ID 11 (File Create): TargetFilename contains 'argus-test.lnk' in Desktop path, created by powershell.exe. Sysmon Event ID 1 for powershell.exe with CreateShortcut and IconLocation in CommandLine. Sysmon Event ID 3 when Desktop folder is browsed: explorer.exe connecting to 127.0.0.1:445 to resolve the icon UNC path. Security Event ID 4648 for the NTLM auth attempt.

  4. Test 4PetitPotam EfsRpcOpenFileRaw Coerce Authentication (Simulated)

    Expected signal: Sysmon Event ID 1 (Process Create): powershell.exe with Add-Type and RpcBindingFromStringBinding in CommandLine. Windows Security Event ID 4688 (if command line auditing enabled). In a full PetitPotam execution: Security Event ID 4648 on the target DC, followed by Event ID 4624 Logon Type 3 from the coerced machine account, then network events from the DC machine account connecting outbound to the attacker listener on port 445.

Last updated: 2026-04-18 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1187 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1221Template InjectionT1566.001Spearphishing AttachmentT1557Adversary-in-the-MiddleT1110Brute ForceT1558.003KerberoastingT1550.002Pass the HashT1078Valid AccountsT1003OS Credential DumpingT1071.002File Transfer Protocols

Same Tactic: Credential Access

Popular Detections