T1187 IBM QRadar · QRadar

Detect Forced Authentication in IBM QRadar

Adversaries may gather credential material by forcing a user or system to automatically provide authentication information through SMB or WebDAV mechanisms they can intercept. When a Windows system connects to an SMB resource it automatically attempts to authenticate, sending hashed credentials to the remote system. Adversaries exploit this by placing malicious .SCF/.LNK files, Office documents with remote template injection, or exploiting the EfsRpcOpenFileRaw function (PetitPotam) to coerce NTLM authentication to attacker-controlled servers where NTLMv2 hashes can be captured and cracked offline.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1187 Forced Authentication
Canonical reference
https://attack.mitre.org/techniques/T1187/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
-- Part A: External outbound SMB from Office processes (Sysmon Event 3)
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  destinationip,
  destinationport,
  username,
  "Image" AS process_name,
  "CommandLine" AS cmdline,
  'ExternalSMB_OfficeProcess' AS detection_type,
  CASE WHEN LOWER("Image") LIKE '%winword.exe%' OR LOWER("Image") LIKE '%excel.exe%'
       OR LOWER("Image") LIKE '%powerpnt.exe%' OR LOWER("Image") LIKE '%outlook.exe%'
       OR LOWER("Image") LIKE '%mspub.exe%' OR LOWER("Image") LIKE '%onenote.exe%'
       OR LOWER("Image") LIKE '%visio.exe%' THEN 'critical' ELSE 'high' END AS severity
FROM events
WHERE LOGSOURCETYPEID = 13 -- Microsoft Windows
  AND QIDNAME(qid) LIKE '%Sysmon%'
  AND CATEGORYNAME(category) LIKE '%Network%'
  AND (destinationport = 445 OR destinationport = 139)
  AND destinationip NOT LIKE '10.%'
  AND destinationip NOT LIKE '172.16.%' AND destinationip NOT LIKE '172.17.%'
  AND destinationip NOT LIKE '172.18.%' AND destinationip NOT LIKE '172.19.%'
  AND destinationip NOT LIKE '172.20.%' AND destinationip NOT LIKE '172.21.%'
  AND destinationip NOT LIKE '172.22.%' AND destinationip NOT LIKE '172.23.%'
  AND destinationip NOT LIKE '172.24.%' AND destinationip NOT LIKE '172.25.%'
  AND destinationip NOT LIKE '172.26.%' AND destinationip NOT LIKE '172.27.%'
  AND destinationip NOT LIKE '172.28.%' AND destinationip NOT LIKE '172.29.%'
  AND destinationip NOT LIKE '172.30.%' AND destinationip NOT LIKE '172.31.%'
  AND destinationip NOT LIKE '192.168.%'
  AND destinationip NOT LIKE '127.%'
  AND destinationip NOT LIKE '169.254.%'
  AND destinationip NOT IN ('0.0.0.0', '255.255.255.255')
  AND LOGSOURCETIME(devicetime) > NOW() - 1 HOURS
UNION ALL
-- Part B: SCF or LNK file creation in user-accessible paths (Sysmon Event 11)
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  '' AS destinationip,
  0 AS destinationport,
  username,
  "Image" AS process_name,
  "TargetFilename" AS cmdline,
  'SCForLNK_File_Created' AS detection_type,
  'high' AS severity
FROM events
WHERE LOGSOURCETYPEID = 13
  AND QIDNAME(qid) LIKE '%Sysmon%'
  AND ("TargetFilename" LIKE '%.scf' OR "TargetFilename" LIKE '%.lnk')
  AND (
    "TargetFilename" LIKE '%\Desktop\%' OR
    "TargetFilename" LIKE '%\Downloads\%' OR
    "TargetFilename" LIKE '%\Documents\%' OR
    "TargetFilename" LIKE '%\Public\%' OR
    "TargetFilename" LIKE '%\Share\%' OR
    "TargetFilename" LIKE '%\Shares\%'
  )
  AND LOGSOURCETIME(devicetime) > NOW() - 1 HOURS
UNION ALL
-- Part C: Explicit credential logon to non-domain systems (Security Event 4648)
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  sourceip AS destinationip,
  445 AS destinationport,
  username,
  "ProcessName" AS process_name,
  "ProcessName" AS cmdline,
  'ExplicitCredentialLogon_4648' AS detection_type,
  'medium' AS severity
FROM events
WHERE LOGSOURCETYPEID = 13
  AND eventid = 4648
  AND "LogonType" = '3'
  AND "TargetServerName" NOT IN ('localhost', '127.0.0.1')
  AND LOGSOURCETIME(devicetime) > NOW() - 1 HOURS
ORDER BY event_time DESC
high severity medium confidence

Three-part AQL detection for forced NTLM authentication coercion. Correlates Sysmon network events for external SMB from Office processes, Sysmon file creation events for .SCF/.LNK drops in accessible paths, and Windows Security Event 4648 for explicit credential logons to non-domain hosts. All three parts UNION into a single result set sorted by time.

Data Sources

IBM QRadar SIEMWindows Sysmon via QRadar DSMWindows Security Event Log via QRadar DSM

Required Tables

events

False Positives & Tuning

  • Enterprise software update mechanisms that use SMB-based distribution to off-premises staging servers (common with large patch management systems)
  • Helpdesk tools creating .lnk shortcuts on user desktops as part of automated deployment scripts during onboarding workflows
  • Users manually mapping drives to external contractor file shares, triggering Event 4648 explicit credential logons to non-domain servers
Download portable Sigma rule (.yml)

Other platforms for T1187

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1SMB Forced Authentication via SCF File

    Expected signal: Sysmon Event ID 11 (File Create): TargetFilename contains '@desktop.scf' in Desktop path. Sysmon Event ID 3 (Network Connection): from explorer.exe to 127.0.0.1:445 when folder is browsed. Windows Security Event ID 4648 if authentication is attempted. The file creation from cmd.exe is itself suspicious and should trigger the SCF detection rule.

  2. Test 2Forced SMB Authentication via PowerShell Net.WebClient UNC Request

    Expected signal: Sysmon Event ID 1 (Process Create): Image=powershell.exe with CommandLine containing 'WebClient' and '127.0.0.1'. Sysmon Event ID 3 (Network Connection): from powershell.exe to 127.0.0.1:445. Windows Security Event ID 4648 on the local system for the attempted explicit credential usage. PowerShell ScriptBlock Log Event ID 4104 with the full script content.

  3. Test 3Malicious LNK File with External UNC Icon Reference

    Expected signal: Sysmon Event ID 11 (File Create): TargetFilename contains 'argus-test.lnk' in Desktop path, created by powershell.exe. Sysmon Event ID 1 for powershell.exe with CreateShortcut and IconLocation in CommandLine. Sysmon Event ID 3 when Desktop folder is browsed: explorer.exe connecting to 127.0.0.1:445 to resolve the icon UNC path. Security Event ID 4648 for the NTLM auth attempt.

  4. Test 4PetitPotam EfsRpcOpenFileRaw Coerce Authentication (Simulated)

    Expected signal: Sysmon Event ID 1 (Process Create): powershell.exe with Add-Type and RpcBindingFromStringBinding in CommandLine. Windows Security Event ID 4688 (if command line auditing enabled). In a full PetitPotam execution: Security Event ID 4648 on the target DC, followed by Event ID 4624 Logon Type 3 from the coerced machine account, then network events from the DC machine account connecting outbound to the attacker listener on port 445.

Last updated: 2026-04-18 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1187 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1221Template InjectionT1566.001Spearphishing AttachmentT1557Adversary-in-the-MiddleT1110Brute ForceT1558.003KerberoastingT1550.002Pass the HashT1078Valid AccountsT1003OS Credential DumpingT1071.002File Transfer Protocols

Same Tactic: Credential Access

Popular Detections