T1187 Splunk · SPL

Detect Forced Authentication in Splunk

Adversaries may gather credential material by forcing a user or system to automatically provide authentication information through SMB or WebDAV mechanisms they can intercept. When a Windows system connects to an SMB resource it automatically attempts to authenticate, sending hashed credentials to the remote system. Adversaries exploit this by placing malicious .SCF/.LNK files, Office documents with remote template injection, or exploiting the EfsRpcOpenFileRaw function (PetitPotam) to coerce NTLM authentication to attacker-controlled servers where NTLMv2 hashes can be captured and cracked offline.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1187 Forced Authentication
Canonical reference
https://attack.mitre.org/techniques/T1187/

SPL Detection Query

Splunk (SPL)
spl 
| union
[
search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
  (DestinationPort=445 OR DestinationPort=139)
  NOT (DestinationIp="10.*" OR DestinationIp="172.16.*" OR DestinationIp="172.17.*"
       OR DestinationIp="172.18.*" OR DestinationIp="172.19.*" OR DestinationIp="172.20.*"
       OR DestinationIp="172.21.*" OR DestinationIp="172.22.*" OR DestinationIp="172.23.*"
       OR DestinationIp="172.24.*" OR DestinationIp="172.25.*" OR DestinationIp="172.26.*"
       OR DestinationIp="172.27.*" OR DestinationIp="172.28.*" OR DestinationIp="172.29.*"
       OR DestinationIp="172.30.*" OR DestinationIp="172.31.*"
       OR DestinationIp="192.168.*" OR DestinationIp="127.*" OR DestinationIp="169.254.*")
| eval detection_type="ExternalSMB"
| eval IsOfficeProcess=if(match(lower(Image), "(winword|excel|powerpnt|outlook|mspub|onenote|visio)\.exe"), 1, 0)
| eval severity=if(IsOfficeProcess=1, "critical", "high")
| table _time, host, User, Image, CommandLine, DestinationIp, DestinationPort, detection_type, IsOfficeProcess, severity
]
[
search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
  (TargetFilename="*.scf" OR TargetFilename="*.lnk")
  (TargetFilename="*\\Desktop\\*" OR TargetFilename="*\\Downloads\\*"
   OR TargetFilename="*\\Documents\\*" OR TargetFilename="*\\Public\\*"
   OR TargetFilename="*\\Share\\*" OR TargetFilename="*\\Shares\\*")
| eval detection_type="SuspiciousSCForLNK"
| eval IsOfficeProcess=if(match(lower(Image), "(winword|excel|powerpnt|outlook|mspub|onenote|visio)\.exe"), 1, 0)
| eval severity="high"
| table _time, host, User, Image, CommandLine, TargetFilename, detection_type, IsOfficeProcess, severity
]
[
search index=wineventlog sourcetype="WinEventLog:Security" EventCode=4648
  LogonType=3
  NOT (TargetServerName="localhost" OR TargetServerName="127.0.0.1")
| eval detection_type="ExplicitCredentialLogon"
| eval IsOfficeProcess=if(match(lower(ProcessName), "(winword|excel|powerpnt|outlook|mspub|onenote|visio)\.exe"), 1, 0)
| eval severity=if(IsOfficeProcess=1, "critical", "medium")
| table _time, host, SubjectUserName, ProcessName, TargetServerName, IpAddress, detection_type, IsOfficeProcess, severity
]
| sort - _time
high severity high confidence

Multi-part detection using Sysmon and Windows Security events. Part A uses Sysmon Event ID 3 (Network Connection) to identify outbound SMB traffic (ports 445/139) to non-RFC1918 addresses, flagging Office processes as critical severity due to template injection risk. Part B uses Sysmon Event ID 11 (File Create) to detect .SCF or .LNK files written to user-accessible locations commonly used for hash capture trap files. Part C uses Windows Security Event ID 4648 to identify explicit credential logon attempts to non-localhost targets, a pattern associated with NTLM relay and forced auth scenarios. Results are unioned and sorted by time for analyst review.

Data Sources

Network Traffic: Network Connection CreationFile: File CreationLogon Session: Logon Session CreationSysmon Event ID 3Sysmon Event ID 11Windows Security Event ID 4648

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/OperationalWinEventLog:Security

False Positives & Tuning

  • Legitimate file shares accessed over SMB to non-RFC1918 IPs in hosted or MPLS environments
  • Security scanning tools initiating authorized SMB connections to external targets during pentesting windows
  • .LNK files written by software deployment tools (SCCM, Intune) to user desktop or shared directories
  • IT administrators using explicit credentials for remote support sessions to external customer environments
  • Backup agents and DFS replication connecting to hosted file servers with public address space
Download portable Sigma rule (.yml)

Other platforms for T1187

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1SMB Forced Authentication via SCF File

    Expected signal: Sysmon Event ID 11 (File Create): TargetFilename contains '@desktop.scf' in Desktop path. Sysmon Event ID 3 (Network Connection): from explorer.exe to 127.0.0.1:445 when folder is browsed. Windows Security Event ID 4648 if authentication is attempted. The file creation from cmd.exe is itself suspicious and should trigger the SCF detection rule.

  2. Test 2Forced SMB Authentication via PowerShell Net.WebClient UNC Request

    Expected signal: Sysmon Event ID 1 (Process Create): Image=powershell.exe with CommandLine containing 'WebClient' and '127.0.0.1'. Sysmon Event ID 3 (Network Connection): from powershell.exe to 127.0.0.1:445. Windows Security Event ID 4648 on the local system for the attempted explicit credential usage. PowerShell ScriptBlock Log Event ID 4104 with the full script content.

  3. Test 3Malicious LNK File with External UNC Icon Reference

    Expected signal: Sysmon Event ID 11 (File Create): TargetFilename contains 'argus-test.lnk' in Desktop path, created by powershell.exe. Sysmon Event ID 1 for powershell.exe with CreateShortcut and IconLocation in CommandLine. Sysmon Event ID 3 when Desktop folder is browsed: explorer.exe connecting to 127.0.0.1:445 to resolve the icon UNC path. Security Event ID 4648 for the NTLM auth attempt.

  4. Test 4PetitPotam EfsRpcOpenFileRaw Coerce Authentication (Simulated)

    Expected signal: Sysmon Event ID 1 (Process Create): powershell.exe with Add-Type and RpcBindingFromStringBinding in CommandLine. Windows Security Event ID 4688 (if command line auditing enabled). In a full PetitPotam execution: Security Event ID 4648 on the target DC, followed by Event ID 4624 Logon Type 3 from the coerced machine account, then network events from the DC machine account connecting outbound to the attacker listener on port 445.

Last updated: 2026-04-18 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1187 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1221Template InjectionT1566.001Spearphishing AttachmentT1557Adversary-in-the-MiddleT1110Brute ForceT1558.003KerberoastingT1550.002Pass the HashT1078Valid AccountsT1003OS Credential DumpingT1071.002File Transfer Protocols

Same Tactic: Credential Access

Popular Detections