Forced Authentication

Information

• Name: Forced Authentication

• ID: T1187

• Tactics: TA0006

Introduction

Forced Authentication is a technique categorized under the MITRE ATT&CK framework (Technique ID: T1187). Adversaries leverage this technique to compel target systems or users to authenticate against attacker-controlled resources. By forcing authentication, attackers can capture authentication credentials, hashes, or tokens, facilitating further lateral movement, privilege escalation, or persistence within a compromised network.

Deep Dive Into Technique

Forced Authentication typically involves coercing a user or system into initiating authentication requests to attacker-controlled servers. Commonly exploited authentication protocols include SMB, HTTP/HTTPS, LDAP, and WebDAV. Attackers may utilize several technical methods to execute this technique:

• SMB Relay Attacks:

  • Attackers position themselves between a client and server to relay authentication requests, capturing NTLM hashes for offline cracking or immediate relay to another host.

  • Tools commonly used include Responder, Impacket's ntlmrelayx, and Metasploit modules.

• UNC Path Injection:

  • Injecting malicious UNC paths (\\attacker-IP\share) into documents, emails, or web pages.

  • When the victim accesses such content, their system automatically attempts authentication, sending NTLM hashes to the attacker's server.

• Malicious Redirects:

  • Web-based attacks where users are redirected to attacker-controlled web servers that prompt for authentication.

  • Techniques include embedding malicious links in phishing emails or compromised websites.

• LLMNR/NBNS Poisoning:

  • Attackers respond to link-local multicast name resolution (LLMNR) or NetBIOS Name Service (NBNS) queries, forcing systems to authenticate against attacker-controlled resources.

Real-world procedures involve attackers embedding malicious links, scripts, or macros in documents, emails, or web pages that trigger automatic authentication attempts. Captured credentials or hashes can be used directly for lateral movement, privilege escalation, or establishing persistence.

When this Technique is Usually Used

Forced Authentication is commonly employed in various stages of an attack lifecycle, including:

• Initial Access:

  • Phishing campaigns embedding malicious UNC paths or URLs to capture credentials upon user interaction.

• Credential Access:

  • Capturing NTLM hashes or credentials through SMB relay attacks or poisoned network protocols.

• Lateral Movement:

  • Using captured hashes or credentials to move laterally within the network, accessing additional systems or resources.

• Privilege Escalation:

  • Relaying captured credentials to escalate privileges by authenticating as higher-privileged users or administrators.

• Persistence:

  • Establishing persistent access by continuously harvesting credentials through poisoned services or injected paths.

Attack scenarios include:

• Internal penetration tests simulating insider threats.

• External attackers performing targeted phishing campaigns.

• Opportunistic attackers exploiting misconfigurations in network protocols (LLMNR/NBNS).

How this Technique is Usually Detected

Detection of Forced Authentication involves monitoring network traffic, authentication logs, and endpoint activities. Common detection methods include:

• Network Traffic Analysis:

  • Monitoring SMB, HTTP, LDAP, or WebDAV authentication requests to external or unknown IP addresses.

  • Tools: Wireshark, Zeek (formerly Bro), Suricata, Snort.

• Endpoint Detection and Response (EDR):

  • Detecting suspicious authentication attempts initiated by client machines.

  • Monitoring processes initiating unusual network connections or authentication requests.

• Event Log Monitoring:

  • Windows Security Event Logs (Event ID 4624 - Successful Logon, Event ID 4625 - Failed Logon).

  • Identifying repeated authentication failures or unusual authentication attempts to external IP addresses or unknown hosts.

• Honeytokens and Deception Technologies:

  • Deploying fake credentials or honeytokens that trigger alerts when used.

Indicators of Compromise (IoCs) include:

• Unexpected NTLM authentication requests to external or unknown IP addresses.

• Suspicious SMB or WebDAV traffic originating from internal hosts.

• Authentication failures logged against unknown or unauthorized hosts.

• Traffic related to LLMNR/NBNS queries answered by unknown hosts.

Why it is Important to Detect This Technique

Early detection of Forced Authentication attempts is critical for securing networks and systems due to the following potential impacts:

• Credential Theft:

  • Attackers may capture NTLM hashes or plaintext credentials, allowing unauthorized access.

• Privilege Escalation:

  • Captured credentials can be leveraged to escalate privileges, compromising sensitive systems or data.

• Lateral Movement:

  • Attackers can move freely within the network, increasing the scope and severity of breaches.

• Data Exfiltration:

  • Compromised accounts can be used to access sensitive information or intellectual property.

• Persistence and Long-term Compromise:

  • Attackers can establish persistent footholds, making remediation more difficult and costly.

Early detection allows for prompt incident response, containment, and mitigation, significantly reducing potential damage and limiting attacker effectiveness.

Examples

Real-world examples and scenarios involving Forced Authentication include:

• Responder Usage in Internal Penetration Tests:

  • Attackers or penetration testers deploy Responder to poison LLMNR/NBNS requests.

  • Captured NTLM hashes are relayed or cracked offline, providing domain credentials.

  • Impact: Domain compromise, privilege escalation, lateral movement.

• UNC Path Injection via Phishing Emails:

  • Attackers embed malicious UNC paths (\\attacker-server\share) within phishing emails or attached documents.

  • Victims unknowingly initiate authentication requests to attacker-controlled servers, leaking NTLM hashes.

  • Tools: Impacket's ntlmrelayx, Metasploit SMB modules.

  • Impact: Credential theft, unauthorized access, lateral movement.

• SMB Relay Attacks in "NotPetya" Malware:

  • The NotPetya ransomware leveraged SMB relay techniques to propagate rapidly within networks.

  • Captured credentials facilitated lateral movement and rapid infection spread.

  • Impact: Significant operational disruption, financial losses, and widespread system compromise.

• Malicious Redirects in APT Campaigns:

  • Advanced Persistent Threat (APT) groups redirect users to attacker-controlled web servers prompting authentication.

  • Captured credentials facilitate espionage, data theft, or further attacks.

  • Impact: Sensitive data exfiltration, intellectual property theft, espionage.

These examples demonstrate the versatility, effectiveness, and severity of Forced Authentication attacks, emphasizing the necessity of robust detection and mitigation strategies.