detection.wiki

ATT&CK coverage › Technique

Forced Authentication T1187

Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.

Events covered

10 catalog events are tagged with this technique by at least one rule.

ProviderEvent IDTitle
Sysmon1Process creation
Sysmon22DNSEvent (DNS query)
Security-Auditing4624An account was successfully logged on.
Security-Auditing4625An account failed to log on.
Security-Auditing4662An operation was performed on an object.
Security-Auditing4688A new process has been created.
Security-Auditing4768A Kerberos authentication ticket (TGT) was requested.
Security-Auditing5136A directory service object was modified.
Security-Auditing5137A directory service object was created.
Security-Auditing5145A network share object was checked to see whether client can be granted desired access.

Authoring guide

Patterns shared across the 14 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (21 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
user7ends_with 5, eq 2, ne 1$, ANONYMOUS LOGON, "ANONYMOUS LOGON"
source.ip4ne 4127.0.0.1, ::1, ::
AuthenticationPackageName3eq 3NTLM, Kerberos
LogonType3eq 3network, Network
computer_name3starts_with 3
EventID3eq 35145, "4662", "5136", "5137", 5137
AdditionalInfo2wildcard 1, eq 1*UWhRC*BAAAA*MicrosoftDNS*, "*1UWhRCA*", "*YBAAAA*", "*AAAAA*"
ObjectDN2wildcard 1, eq 1*UWhRC*BAAAA*MicrosoftDNS*, "*1UWhRCA*", "*YBAAAA*", "*AAAAA*"
file.name2eq 2efsrpc, FssagentRpc, eventlog
CommandLine2match 1, eq 1BAAAA, UWhRCA, "*1UWhRCA*", "*YBAAAA*", "*AAAAA*"
RelativeTargetName2eq 2lsarpc
ObjectClass2eq 2"dnsNode"
host.name1starts_with 1
src_ip1eq 1::1
CertThumbprint1match 1, eq 1*

Top indicator values (58 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

FieldKindValueRules (here)Corpus reach
userends_with$518
source.ipne::147
source.ipne127.0.0.148
AuthenticationPackageNameeqNTLM22
file.nameeqsamr2
file.nameeqdnsserver2
file.nameeqdhcpserver2
file.nameeqefsrpc2
file.nameeqsrvsvc2
file.nameeqlsass2
file.nameeqnetdfs2
file.nameeqSpoolss2
file.nameeqnetlogon2
file.nameeqFssagentRpc2
file.nameeqwinreg2
file.nameeqWinsPipe2
LogonTypeeqnetwork2
file.nameeqlsarpc2
file.nameeqeventlog2
RelativeTargetNameeqlsarpc23

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 4 rules

Elastic 5 rules

Splunk 5 rules