DET0022: Detect Forced SMB/WebDAV Authentication via lure files and outbound NTLM
DET0022 is a detection strategy for identifying attempts to force Windows authentication over SMB or WebDAV using lure files and outbound NTLM activity. Th...
Analyst context for executives and security teams
DET0022 is a detection strategy for identifying attempts to force Windows authentication over SMB or WebDAV using lure files and outbound NTLM activity. The business value is that this behavior can expose credential material without a user intentionally entering a password, making it relevant to identity risk, lateral movement readiness, and incident triage around suspected credential access.
Executive priority
Treat this as an identity and network egress control validation issue. Leaders should ask whether the organization can see outbound NTLM authentication attempts, whether SMB/WebDAV traffic is restricted to approved destinations, and whether SOC teams have a repeatable process to investigate possible forced authentication. This matters for resilience because stolen or relayed credentials can turn a user interaction with a file or resource into broader access risk.
Technical view
This detection strategy is related to ATT&CK technique T1187, Forced Authentication, under credential access on Windows. Because the supplied ATT&CK object does not include official detection text or platform fields, teams should anchor validation to the relationship context: suspicious lure-file interactions followed by outbound SMB/WebDAV or NTLM authentication attempts. SOC and IR teams should verify whether endpoint, authentication, proxy, DNS, and network telemetry can connect a user or host action to an unexpected outbound authentication destination.
Likely telemetry
- Windows authentication and NTLM-related logs where available
- Endpoint file access or process/file interaction telemetry related to opened lure files
- Network telemetry for outbound SMB traffic
- WebDAV-related client or proxy/network activity
- DNS lookups and connection metadata for external or unusual authentication destinations
Detection direction
- Validate visibility into outbound NTLM authentication attempts, especially to untrusted or unusual destinations.
- Correlate file-open or file-preview activity with subsequent SMB/WebDAV network connections from the same endpoint.
- Tune detections to distinguish approved internal file-sharing workflows from unexpected external or cross-segment authentication attempts.
- Review blind spots where endpoints lack detailed file telemetry, where NTLM events are not centrally collected, or where egress logs do not preserve destination context.
- Use the related T1187 context to prioritize alerts as credential-access investigations rather than treating them only as network anomalies.
Mitigation priorities
- Restrict outbound SMB/WebDAV access to only approved destinations where business requirements justify it.
- Reduce unnecessary NTLM exposure and monitor for authentication to untrusted resources.
- Harden identity controls so exposed or relayed credential material has limited value, including least privilege and strong authentication where applicable.
- Ensure incident response playbooks include credential risk decisions such as account review, session/token review where relevant, and containment of affected endpoints.
- Maintain audit evidence showing which logs and egress controls support detection of forced authentication behavior.
Analyst notes and limits
The object itself is a detection strategy with no official description or detection text supplied. The useful context comes from its relationship to T1187 Forced Authentication, which describes adversaries causing a Windows system to automatically send authentication information over mechanisms such as SMB. Local environment baselines are required to determine what outbound authentication is normal.
Platforms and tactics are not specified on the detection strategy object itself; Windows and credential-access context come from the related T1187 technique. No ATT&CK-provided analytic logic, data sources, false-positive guidance, or mitigations were supplied, so recommendations are conservative validation directions rather than a guaranteed detection recipe.
Detect Forced SMB/WebDAV Authentication via lure files and outbound NTLM
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1187 | Forced Authentication | This object detects Forced Authentication. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f78f5acdc458… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0022Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.