EXPLORE
Sign In
← Back to Explore
T1187

Forced Authentication

Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept. The Server Message Block (SMB) protocol is commonly used in Windows networks for authentication and communication between systems for access to resources and file sharing. When a Windows system attempts to connect to an SMB resource it will automatically attempt to authenticate and send credential information for the curren...

Windows
22
Detections
3
Sources
2
Threat Actors

BY SOURCE

10elastic6sigma6splunk_escu

PROCEDURES (16)

Network Connection Monitoring3 detections

Auto-extracted: 3 detections for network connection monitoring

Base642 detections

Auto-extracted: 2 detections for base64

Inject2 detections

Auto-extracted: 2 detections for inject

Base642 detections

Auto-extracted: 2 detections for base64

Authentication Monitoring2 detections

Auto-extracted: 2 detections for authentication monitoring

Service1 detections

Auto-extracted: 1 detections for service

Kerbero1 detections

Auto-extracted: 1 detections for kerbero

Remote1 detections

Auto-extracted: 1 detections for remote

Remote1 detections

Auto-extracted: 1 detections for remote

Remote1 detections

Auto-extracted: 1 detections for remote

Remote1 detections

Auto-extracted: 1 detections for remote

Dns1 detections

Auto-extracted: 1 detections for dns

Inject1 detections

Auto-extracted: 1 detections for inject

Inject1 detections

Auto-extracted: 1 detections for inject

Unusual1 detections

Auto-extracted: 1 detections for unusual

Base641 detections

Auto-extracted: 1 detections for base64

THREAT ACTORS (2)

DarkHydrusDragonfly

DETECTIONS (22)

Active Directory Forced Authentication from Linux Host - SMB Named Pipes
elasticmedium
Attempts of Kerberos Coercion Via DNS SPN Spoofing
sigmahigh
DNS Kerberos Coercion
splunk_escu
PetitPotam Network Share Access Request
splunk_escu
PetitPotam Suspicious Kerberos TGT Request
sigmahigh
Possible PetitPotam Coerce Authentication Attempt
sigmahigh
Potential Computer Account NTLM Relay Activity
elasticmedium
Potential Kerberos Coercion via DNS-Based SPN Spoofing
elastichigh
Potential Kerberos Relay Attack against a Computer Account
elastichigh
Potential Kerberos SPN Spoofing via Suspicious DNS Query
elastichigh
Potential Local NTLM Relay via HTTP
elastichigh
Potential Machine Account Relay Attack via SMB
elastichigh
Potential NTLM Relay Attack against a Computer Account
elastichigh
Potential PetitPotam Attack Via EFS RPC Calls
sigmamedium
Rare Connection to WebDAV Target
elasticmedium
Rare SMB Connection to the Internet
elasticmedium
Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing
sigmahigh
Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing - Network
sigmahigh
Windows Credential Target Information Structure in Commandline
splunk_escu
Windows Kerberos Coercion via DNS
splunk_escu
Windows Short Lived DNS Record
splunk_escu
Windows Theme File Creation in Unusual Location
splunk_escu