T1187 Microsoft Sentinel · KQL

Detect Forced Authentication in Microsoft Sentinel

Adversaries may gather credential material by forcing a user or system to automatically provide authentication information through SMB or WebDAV mechanisms they can intercept. When a Windows system connects to an SMB resource it automatically attempts to authenticate, sending hashed credentials to the remote system. Adversaries exploit this by placing malicious .SCF/.LNK files, Office documents with remote template injection, or exploiting the EfsRpcOpenFileRaw function (PetitPotam) to coerce NTLM authentication to attacker-controlled servers where NTLMv2 hashes can be captured and cracked offline.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1187 Forced Authentication
Canonical reference
https://attack.mitre.org/techniques/T1187/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// Detection 1: Outbound SMB to external/untrusted IPs (port 445/139)
let InternalRanges = dynamic(["10.", "172.16.", "172.17.", "172.18.", "172.19.", "172.20.", "172.21.", "172.22.", "172.23.", "172.24.", "172.25.", "172.26.", "172.27.", "172.28.", "172.29.", "172.30.", "172.31.", "192.168.", "127.", "169.254."]);
let OfficeProcesses = dynamic(["winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "mspub.exe", "onenote.exe", "visio.exe"]);
let SmbPorts = dynamic([445, 139]);
// Part A: Office or browser process initiating outbound SMB to external IP
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort in (SmbPorts)
| where not(RemoteIP has_any (InternalRanges))
| where not(RemoteIP == "0.0.0.0" or RemoteIP == "255.255.255.255")
| extend IsOfficeProcess = InitiatingProcessFileName has_any (OfficeProcesses)
| extend IsExternalSMB = true
| project Timestamp, DeviceName, AccountName, RemoteIP, RemotePort,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          IsOfficeProcess, IsExternalSMB
| sort by Timestamp desc
| union (
// Part B: SCF or LNK files written to user-accessible paths (setup for credential harvesting)
DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName endswith ".scf" or FileName endswith ".lnk"
| where FolderPath has_any ("\\Desktop\\", "\\Downloads\\", "\\Documents\\", "\\Public\\", "\\Share\\", "\\Shares\\")
| extend IsOfficeProcess = InitiatingProcessFileName has_any (OfficeProcesses)
| project Timestamp, DeviceName, AccountName=RequestAccountName,
          RemoteIP = "", RemotePort = 0,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          IsOfficeProcess, IsExternalSMB = false
| sort by Timestamp desc
)
| union (
// Part C: NTLM auth to non-domain systems (Security Event 4648 - explicit credential logon)
SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4648
| where TargetServerName !endswith env_var("USERDNSDOMAIN") and TargetServerName != "localhost" and TargetServerName != "127.0.0.1"
| where LogonType == 3
| project Timestamp=TimeGenerated, DeviceName=Computer, AccountName=SubjectUserName,
          RemoteIP = IpAddress, RemotePort = 445,
          InitiatingProcessFileName = ProcessName, InitiatingProcessCommandLine = CommandLine,
          IsOfficeProcess = ProcessName has_any (OfficeProcesses), IsExternalSMB = true
| sort by Timestamp desc
)
high severity high confidence

Multi-part detection for Forced Authentication (T1187) targeting three distinct patterns: (A) outbound SMB connections (port 445/139) from any process to external IPs — a strong indicator of forced hash capture; (B) .SCF or .LNK files written to user-accessible locations, which trigger automatic SMB auth when a user opens the containing folder; (C) Security Event ID 4648 explicit credential logon attempts to non-domain targets, which may indicate NTLM relay or capture activity. Office processes initiating outbound SMB are flagged with IsOfficeProcess to indicate template injection as a likely delivery vector.

Data Sources

Network Traffic: Network Connection CreationFile: File CreationLogon Session: Logon Session CreationMicrosoft Defender for EndpointWindows Security Event Log

Required Tables

DeviceNetworkEventsDeviceFileEventsSecurityEvent

False Positives & Tuning

  • Legitimate file shares accessed over SMB to non-RFC1918 IPs, such as hosted file storage services or MPLS partner networks with routable address space
  • Security scanning tools and vulnerability scanners initiating SMB connections to external hosts during authorized penetration testing
  • .LNK files created by legitimate application installers or shortcuts created by software deployment tools (SCCM, Intune) placed in shared directories
  • IT administrators manually connecting to external customer environments or remote support sessions using explicit credentials (Event ID 4648)
  • Backup agents and DFS replication connecting to remote file servers with non-RFC1918 addresses in hosted environments
Download portable Sigma rule (.yml)

Other platforms for T1187

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1SMB Forced Authentication via SCF File

    Expected signal: Sysmon Event ID 11 (File Create): TargetFilename contains '@desktop.scf' in Desktop path. Sysmon Event ID 3 (Network Connection): from explorer.exe to 127.0.0.1:445 when folder is browsed. Windows Security Event ID 4648 if authentication is attempted. The file creation from cmd.exe is itself suspicious and should trigger the SCF detection rule.

  2. Test 2Forced SMB Authentication via PowerShell Net.WebClient UNC Request

    Expected signal: Sysmon Event ID 1 (Process Create): Image=powershell.exe with CommandLine containing 'WebClient' and '127.0.0.1'. Sysmon Event ID 3 (Network Connection): from powershell.exe to 127.0.0.1:445. Windows Security Event ID 4648 on the local system for the attempted explicit credential usage. PowerShell ScriptBlock Log Event ID 4104 with the full script content.

  3. Test 3Malicious LNK File with External UNC Icon Reference

    Expected signal: Sysmon Event ID 11 (File Create): TargetFilename contains 'argus-test.lnk' in Desktop path, created by powershell.exe. Sysmon Event ID 1 for powershell.exe with CreateShortcut and IconLocation in CommandLine. Sysmon Event ID 3 when Desktop folder is browsed: explorer.exe connecting to 127.0.0.1:445 to resolve the icon UNC path. Security Event ID 4648 for the NTLM auth attempt.

  4. Test 4PetitPotam EfsRpcOpenFileRaw Coerce Authentication (Simulated)

    Expected signal: Sysmon Event ID 1 (Process Create): powershell.exe with Add-Type and RpcBindingFromStringBinding in CommandLine. Windows Security Event ID 4688 (if command line auditing enabled). In a full PetitPotam execution: Security Event ID 4648 on the target DC, followed by Event ID 4624 Logon Type 3 from the coerced machine account, then network events from the DC machine account connecting outbound to the attacker listener on port 445.

Last updated: 2026-04-18 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1187 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1221Template InjectionT1566.001Spearphishing AttachmentT1557Adversary-in-the-MiddleT1110Brute ForceT1558.003KerberoastingT1550.002Pass the HashT1078Valid AccountsT1003OS Credential DumpingT1071.002File Transfer Protocols

Same Tactic: Credential Access

Popular Detections