EXPLORE
Sign In
← Back to Explore
T1187

Forced Authentication

Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept. The Server Message Block (SMB) protocol is commonly used in Windows networks for authentication and communication between systems for access to resources and file sharing. When a Windows system attempts to connect to an SMB resource it will automatically attempt to authenticate and send credential information for the curren...

Windows
21
Detections
3
Sources
2
Threat Actors

BY SOURCE

10elastic6sigma5splunk_escu

PROCEDURES (14)

Network Connection Monitoring4 detections

Auto-extracted: 4 detections for network connection monitoring

Inject3 detections

Auto-extracted: 3 detections for inject

Privilege2 detections

Auto-extracted: 2 detections for privilege

Base642 detections

Auto-extracted: 2 detections for base64

Remote1 detections

Auto-extracted: 1 detections for remote

Remote1 detections

Auto-extracted: 1 detections for remote

Base641 detections

Auto-extracted: 1 detections for base64

Inject1 detections

Auto-extracted: 1 detections for inject

Inject1 detections

Auto-extracted: 1 detections for inject

Service1 detections

Auto-extracted: 1 detections for service

Dns1 detections

Auto-extracted: 1 detections for dns

Base641 detections

Auto-extracted: 1 detections for base64

Privilege1 detections

Auto-extracted: 1 detections for privilege

Authentication Monitoring1 detections

Auto-extracted: 1 detections for authentication monitoring

THREAT ACTORS (2)

DarkHydrusDragonfly

DETECTIONS (21)

Active Directory Forced Authentication from Linux Host - SMB Named Pipes
elasticmedium
Attempts of Kerberos Coercion Via DNS SPN Spoofing
sigmahigh
DNS Kerberos Coercion
splunk_escu
PetitPotam Network Share Access Request
splunk_escu
PetitPotam Suspicious Kerberos TGT Request
sigmahigh
Possible PetitPotam Coerce Authentication Attempt
sigmahigh
Potential Computer Account NTLM Relay Activity
elasticmedium
Potential Kerberos Coercion via DNS-Based SPN Spoofing
elastichigh
Potential Kerberos Relay Attack against a Computer Account
elastichigh
Potential Kerberos SPN Spoofing via Suspicious DNS Query
elastichigh
Potential Local NTLM Relay via HTTP
elastichigh
Potential Machine Account Relay Attack via SMB
elastichigh
Potential NTLM Relay Attack against a Computer Account
elastichigh
Potential PetitPotam Attack Via EFS RPC Calls
sigmamedium
Rare Connection to WebDAV Target
elasticmedium
Rare SMB Connection to the Internet
elasticmedium
Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing
sigmahigh
Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing - Network
sigmahigh
Windows Credential Target Information Structure in Commandline
splunk_escu
Windows Kerberos Coercion via DNS
splunk_escu
Windows Short Lived DNS Record
splunk_escu