title: Forced Authentication (T1187)
id: df00tech-t1187
status: experimental
description: "Adversaries may gather credential material by forcing a user or system to automatically provide authentication information through SMB or WebDAV mechanisms they can intercept. When a Windows system connects to an SMB resource it automatically attempts to authenticate, sending hashed credentials to the remote system. Adversaries exploit this by placing malicious .SCF/.LNK files, Office documents with remote template injection, or exploiting the EfsRpcOpenFileRaw function (PetitPotam) to coerce NTLM authentication to attacker-controlled servers where NTLMv2 hashes can be captured and cracked offline."
references:
  - https://attack.mitre.org/techniques/T1187/
  - https://df00tech.com/detections/T1187
author: df00tech
date: 2026/04/18
tags:
  - attack.t1187
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate file shares accessed over SMB to non-RFC1918 IPs, such as hosted file storage services or MPLS partner networks with routable address space"
  - Security scanning tools and vulnerability scanners initiating SMB connections to external hosts during authorized penetration testing
  - ".LNK files created by legitimate application installers or shortcuts created by software deployment tools (SCCM, Intune) placed in shared directories"
  - IT administrators manually connecting to external customer environments or remote support sessions using explicit credentials (Event ID 4648)
  - Backup agents and DFS replication connecting to remote file servers with non-RFC1918 addresses in hosted environments
level: high