T1187 Sumo Logic CSE · Sumo

Detect Forced Authentication in Sumo Logic CSE

Adversaries may gather credential material by forcing a user or system to automatically provide authentication information through SMB or WebDAV mechanisms they can intercept. When a Windows system connects to an SMB resource it automatically attempts to authenticate, sending hashed credentials to the remote system. Adversaries exploit this by placing malicious .SCF/.LNK files, Office documents with remote template injection, or exploiting the EfsRpcOpenFileRaw function (PetitPotam) to coerce NTLM authentication to attacker-controlled servers where NTLMv2 hashes can be captured and cracked offline.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1187 Forced Authentication
Canonical reference
https://attack.mitre.org/techniques/T1187/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
// Part A: External SMB from Office processes (Sysmon Event 3)
(_sourceCategory="windows/sysmon" OR _sourceCategory="WinEventLog/Sysmon")
| where EventID = "3"
| where DestinationPort = "445" OR DestinationPort = "139"
| where !(DestinationIp matches /^10\./ OR DestinationIp matches /^172\.(1[6-9]|2[0-9]|3[0-1])\./ OR DestinationIp matches /^192\.168\./ OR DestinationIp matches /^127\./ OR DestinationIp matches /^169\.254\./)
| where DestinationIp != "0.0.0.0" AND DestinationIp != "255.255.255.255"
| eval IsOfficeProcess = if (Image matches /(?i)(winword|excel|powerpnt|outlook|mspub|onenote|visio)\.exe/, "true", "false")
| eval severity = if (IsOfficeProcess = "true", "critical", "high")
| eval detection_type = "ExternalSMB"
| fields _messageTime, Computer, User, Image, CommandLine, DestinationIp, DestinationPort, IsOfficeProcess, severity, detection_type

// Part B: SCF or LNK file written to user directories (Sysmon Event 11)
// Run as separate query and union results in dashboard
(_sourceCategory="windows/sysmon" OR _sourceCategory="WinEventLog/Sysmon")
| where EventID = "11"
| where TargetFilename matches /(?i)\.(scf|lnk)$/
| where TargetFilename matches /(?i)\\(Desktop|Downloads|Documents|Public|Shares?)\\/
| eval IsOfficeProcess = if (Image matches /(?i)(winword|excel|powerpnt|outlook|mspub|onenote|visio)\.exe/, "true", "false")
| eval severity = "high"
| eval detection_type = "SuspiciousSCForLNK"
| fields _messageTime, Computer, User, Image, CommandLine, TargetFilename, IsOfficeProcess, severity, detection_type

// Part C: Explicit credential logon (Security Event 4648)
(_sourceCategory="windows/security" OR _sourceCategory="WinEventLog/Security")
| where EventID = "4648"
| where LogonType = "3"
| where TargetServerName != "localhost" AND TargetServerName != "127.0.0.1"
| where !(TargetServerName matches /(?i)\.yourdomain\.com$/)
| eval IsOfficeProcess = if (ProcessName matches /(?i)(winword|excel|powerpnt|outlook|mspub|onenote|visio)\.exe/, "true", "false")
| eval severity = if (IsOfficeProcess = "true", "critical", "medium")
| eval detection_type = "ExplicitCredentialLogon"
| fields _messageTime, Computer, SubjectUserName, ProcessName, TargetServerName, IpAddress, IsOfficeProcess, severity, detection_type
| sort by _messageTime desc
high severity medium confidence

Three-part Sumo Logic detection for T1187 forced NTLM authentication coercion. Part A identifies Office applications spawning outbound SMB connections to external (non-RFC1918) IPs — a signature of embedded UNC paths or remote template injection in malicious documents. Part B catches .SCF and .LNK file drops to user-browsable directories that trigger automatic credential disclosure. Part C monitors Windows Security Event 4648 for explicit NTLM credential use to systems outside the domain. Each part should be run as a separate query and results combined in a dashboard or alert group.

Data Sources

Sumo Logic Cloud SIEMWindows Sysmon via Sumo Logic CollectorWindows Security Event Log via Sumo Logic Collector

Required Tables

_sourceCategory=windows/sysmon_sourceCategory=windows/security

False Positives & Tuning

  • Network printers or MFPs configured with UNC path scanning destinations that appear as external SMB from svchost or print spooler — validate by confirming destination is a known printer server
  • Automated LNK file creation by legitimate application installers writing shortcuts to the Desktop (e.g., Adobe, Zoom) during mass software deployment
  • VPN-connected users where internal IP space for branch offices falls outside the excluded RFC1918 ranges, causing legitimate file server connections to appear as external SMB
Download portable Sigma rule (.yml)

Other platforms for T1187

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1SMB Forced Authentication via SCF File

    Expected signal: Sysmon Event ID 11 (File Create): TargetFilename contains '@desktop.scf' in Desktop path. Sysmon Event ID 3 (Network Connection): from explorer.exe to 127.0.0.1:445 when folder is browsed. Windows Security Event ID 4648 if authentication is attempted. The file creation from cmd.exe is itself suspicious and should trigger the SCF detection rule.

  2. Test 2Forced SMB Authentication via PowerShell Net.WebClient UNC Request

    Expected signal: Sysmon Event ID 1 (Process Create): Image=powershell.exe with CommandLine containing 'WebClient' and '127.0.0.1'. Sysmon Event ID 3 (Network Connection): from powershell.exe to 127.0.0.1:445. Windows Security Event ID 4648 on the local system for the attempted explicit credential usage. PowerShell ScriptBlock Log Event ID 4104 with the full script content.

  3. Test 3Malicious LNK File with External UNC Icon Reference

    Expected signal: Sysmon Event ID 11 (File Create): TargetFilename contains 'argus-test.lnk' in Desktop path, created by powershell.exe. Sysmon Event ID 1 for powershell.exe with CreateShortcut and IconLocation in CommandLine. Sysmon Event ID 3 when Desktop folder is browsed: explorer.exe connecting to 127.0.0.1:445 to resolve the icon UNC path. Security Event ID 4648 for the NTLM auth attempt.

  4. Test 4PetitPotam EfsRpcOpenFileRaw Coerce Authentication (Simulated)

    Expected signal: Sysmon Event ID 1 (Process Create): powershell.exe with Add-Type and RpcBindingFromStringBinding in CommandLine. Windows Security Event ID 4688 (if command line auditing enabled). In a full PetitPotam execution: Security Event ID 4648 on the target DC, followed by Event ID 4624 Logon Type 3 from the coerced machine account, then network events from the DC machine account connecting outbound to the attacker listener on port 445.

Last updated: 2026-04-18 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1187 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1221Template InjectionT1566.001Spearphishing AttachmentT1557Adversary-in-the-MiddleT1110Brute ForceT1558.003KerberoastingT1550.002Pass the HashT1078Valid AccountsT1003OS Credential DumpingT1071.002File Transfer Protocols

Same Tactic: Credential Access

Popular Detections