EXPLORE
← Back to Explore
T1187

Forced Authentication

Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept. The Server Message Block (SMB) protocol is commonly used in Windows networks for authentication and communication between systems for access to resources and file sharing. When a Windows system attempts to connect to an SMB resource it will automatically attempt to authenticate and send credential information for the curren...

Windows
23
Detections
3
Sources
2
Threat Actors

BY SOURCE

10elastic7sigma6splunk_escu

PROCEDURES (16)

Network Connection Monitoring3 detections

Auto-extracted: 3 detections for network connection monitoring

Authentication Monitoring2 detections

Auto-extracted: 2 detections for authentication monitoring

Base642 detections

Auto-extracted: 2 detections for base64

Base642 detections

Auto-extracted: 2 detections for base64

Inject2 detections

Auto-extracted: 2 detections for inject

Base641 detections

Auto-extracted: 1 detections for base64

Credential1 detections

Auto-extracted: 1 detections for credential

Service1 detections

Auto-extracted: 1 detections for service

Inject1 detections

Auto-extracted: 1 detections for inject

Kerbero1 detections

Auto-extracted: 1 detections for kerbero

Remote1 detections

Auto-extracted: 1 detections for remote

Remote1 detections

Auto-extracted: 1 detections for remote

Remote1 detections

Auto-extracted: 1 detections for remote

Dns1 detections

Auto-extracted: 1 detections for dns

Inject1 detections

Auto-extracted: 1 detections for inject

Unusual1 detections

Auto-extracted: 1 detections for unusual

THREAT ACTORS (2)

DETECTIONS (23)