T1187: Forced Authentication
Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.
The Server Message Block (SMB) protocol is commonly used in Windows networks for authentication and communication between systems for access to resources and file sharing. When a Windows system attempts to connect to an SMB resource it will automatically attempt to authenticate and send credential information for the current user to the remote system.[1] This behavior is typical in enterprise environments so that users do not need to enter credentials to access network resources.
Web Distributed Authoring and Versioning (WebDAV) is also typically used by Windows systems as a backup protocol when SMB is blocked or fails. WebDAV is an extension of HTTP and will typically operate over TCP ports 80 and 443.[2][3]
Adversaries may take advantage of this behavior to gain access to user account hashes through forced SMB/WebDAV authentication. An adversary can send an attachment to a user through spearphishing that contains a resource link to an external server controlled by the adversary (i.e. Template Injection), or place a specially crafted file on navigation path for privileged accounts (e.g. .SCF file placed on desktop) or on a publicly accessible share to be accessed by victim(s). When the user's system accesses the untrusted resource, it will attempt authentication and send information, including the user's hashed credentials, over SMB to the adversary-controlled server.[4] With access to the credential hash, an adversary can perform off-line Brute Force cracking to gain access to plaintext credentials.[5]
There are several different ways this can occur.[6] Some specifics from in-the-wild use include:
* A spearphishing attachment containing a document with a resource that is automatically loaded when the document is opened (i.e. Template Injection). The document can include, for example, a request similar to file[:]//[remote address]/Normal.dotm to trigger the SMB request.[7] * A modified .LNK or .SCF file with the icon filename pointing to an external reference such as \\[remote address]\pic.png that will force the system to load the resource when the icon is rendered to repeatedly gather credentials.[7]
Alternatively, by leveraging the EfsRpcOpenFileRaw function, an adversary can send SMB requests to a remote system's MS-EFSRPC interface and force the victim computer to initiate an authentication procedure and share its authentication details. The Encrypting File System Remote Protocol (EFSRPC) is a protocol used in Windows networks for maintenance and management operations on encrypted data that is stored remotely to be accessed over a network. Utilization of EfsRpcOpenFileRaw function in EFSRPC is used to open an encrypted object on the server for backup or restore. Adversaries can collect this data and abuse it as part of a NTLM relay attack to gain access to remote systems on the same internal network.[8][9]
Analyst context for executives and security teams
Forced Authentication matters because normal Windows convenience behavior can become credential exposure. If a user or system is induced to access an untrusted SMB or WebDAV resource, Windows may automatically send authentication material that an adversary can intercept and potentially use for offline password cracking or NTLM relay. For leaders, this is a credential-access risk that depends heavily on egress controls, Windows authentication visibility, and user/file handling paths.
Executive priority
Prioritize this where Windows identity is central to operations, privileged users browse shared locations, or outbound network paths are loosely controlled. The key business question is whether the organization can prove it limits and detects unexpected SMB/WebDAV authentication to untrusted destinations. This technique also supports audit and incident-readiness discussions: password policy strength, network filtering, and evidence of outbound authentication attempts are the control areas most relevant to reducing risk and supporting investigations.
Technical view
ATT&CK lists this as a Windows credential-access technique. The supplied relationship DET0022 points defenders toward detecting forced SMB/WebDAV authentication via lure files and outbound NTLM. SOC and IR teams should validate visibility for Windows hosts initiating SMB or WebDAV authentication to unusual or external destinations, especially after opening documents, rendering .LNK/.SCF-style content, accessing public shares, or interacting with paths that reference remote resources. Also assess visibility for EFSRPC/MS-EFSRPC-related coercion patterns where a host is induced to authenticate to another system. Because SMB and WebDAV can be normal in enterprise environments, detection should be baseline-driven and destination-aware rather than purely protocol-based.
Likely telemetry
- Outbound SMB connection metadata from endpoints and network controls
- WebDAV/HTTP/HTTPS connection records where Windows clients access remote resources
- Windows authentication and NTLM-related event evidence
- Endpoint file telemetry for documents, .LNK files, .SCF files, and remote resource references
- Email or attachment telemetry for spearphishing-delivered documents
Detection direction
- Validate coverage against DET0022: lure-file execution or rendering followed by outbound SMB/WebDAV or NTLM authentication.
- Tune for authentication attempts to untrusted, internet-facing, or unusual internal destinations rather than all SMB/WebDAV activity.
- Correlate document opening, shortcut/icon rendering, or share browsing with immediate outbound authentication attempts.
- Review privileged account activity separately, since coerced authentication from high-value accounts can materially change incident severity.
- Account for false positives from legitimate file shares, backup workflows, WebDAV applications, and enterprise document templates.
Mitigation priorities
- Start with M1037 Filter Network Traffic: restrict unnecessary outbound SMB and control WebDAV paths so Windows hosts cannot freely authenticate to untrusted destinations.
- Use segmentation and egress policy to limit lateral and external authentication opportunities, especially from privileged workstations and servers.
- Apply M1027 Password Policies so captured hashes are less likely to be cracked through offline brute force; prioritize length, complexity, history, and reuse prevention where applicable.
- Reduce exposure of public or broadly writable shares that could host crafted files viewed by privileged users.
- Ensure incident response playbooks include steps to identify affected users, destinations contacted, and whether credentials require reset or further containment.
Analyst notes and limits
MITRE links this technique to Dragonfly, DarkHydrus, and EnvyScout in the supplied relationships, but that context should be used for threat-modeling and detection prioritization only, not as evidence of activity in any environment. The strongest defensive value is confirming whether Windows automatic authentication paths are visible and constrained.
The official ATT&CK object provides no detection text, so detection guidance is derived from the technique description and the supplied DET0022 relationship. Local validation is required to determine which SMB, WebDAV, NTLM, file, email, RPC, and network logs are actually collected and retained.
Forced Authentication
Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.
The Server Message Block (SMB) protocol is commonly used in Windows networks for authentication and communication between systems for access to resources and file sharing. When a Windows system attempts to connect to an SMB resource it will automatically attempt to authenticate and send credential information for the current user to the remote system.[1] This behavior is typical in enterprise environments so that users do not need to enter credentials to access network resources.
Web Distributed Authoring and Versioning (WebDAV) is also typically used by Windows systems as a backup protocol when SMB is blocked or fails. WebDAV is an extension of HTTP and will typically operate over TCP ports 80 and 443.[2][3]
Adversaries may take advantage of this behavior to gain access to user account hashes through forced SMB/WebDAV authentication. An adversary can send an attachment to a user through spearphishing that contains a resource link to an external server controlled by the adversary (i.e. Template Injection), or place a specially crafted file on navigation path for privileged accounts (e.g. .SCF file placed on desktop) or on a publicly accessible share to be accessed by victim(s). When the user's system accesses the untrusted resource, it will attempt authentication and send information, including the user's hashed credentials, over SMB to the adversary-controlled server.[4] With access to the credential hash, an adversary can perform off-line Brute Force cracking to gain access to plaintext credentials.[5]
There are several different ways this can occur.[6] Some specifics from in-the-wild use include:
* A spearphishing attachment containing a document with a resource that is automatically loaded when the document is opened (i.e. Template Injection). The document can include, for example, a request similar to file[:]//[remote address]/Normal.dotm to trigger the SMB request.[7] * A modified .LNK or .SCF file with the icon filename pointing to an external reference such as \\[remote address]\pic.png that will force the system to load the resource when the icon is rendered to repeatedly gather credentials.[7]
Alternatively, by leveraging the EfsRpcOpenFileRaw function, an adversary can send SMB requests to a remote system's MS-EFSRPC interface and force the victim computer to initiate an authentication procedure and share its authentication details. The Encrypting File System Remote Protocol (EFSRPC) is a protocol used in Windows networks for maintenance and management operations on encrypted data that is stored remotely to be accessed over a network. Utilization of EfsRpcOpenFileRaw function in EFSRPC is used to open an encrypted object on the server for backup or restore. Adversaries can collect this data and abuse it as part of a NTLM relay attack to gain access to remote systems on the same internal network.[8][9]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Groups, software, and campaigns
G0079: DarkHydrus
DarkHydrus is a threat group that has targeted government agencies and educational institutions in the Middle East since at least 2016. The group heavily leverages open-source tools and custom payloads for carrying out attacks. [1] [2]
G0035: Dragonfly
Dragonfly is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.[1][2] Active since at least 2010, Dragonfly has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks.[3][4][5][6][7][8][9]
S0634: EnvyScout
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.4 | Current bundle | c23568f2a2db… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Wikipedia Server Message Block
Wikipedia. (2017, December 16). Server Message Block. Retrieved December 21, 2017.
Open source URL -
[2]
Didier Stevens WebDAV Traffic
Stevens, D. (2017, November 13). WebDAV Traffic To Malicious Sites. Retrieved December 21, 2017.
Open source URL -
[3]
Microsoft Managing WebDAV Security
Microsoft. (n.d.). Managing WebDAV Security (IIS 6.0). Retrieved November 17, 2024.
Open source URL -
[4]
GitHub Hashjacking
Dunning, J. (2016, August 1). Hashjacking. Retrieved December 21, 2017.
Open source URL -
[5]
Cylance Redirect to SMB
Cylance. (2015, April 13). Redirect to SMB. Retrieved December 21, 2017.
Open source URL -
[6]
Osanda Stealing NetNTLM Hashes
Osanda Malith Jayathissa. (2017, March 24). Places of Interest in Stealing NetNTLM Hashes. Retrieved January 26, 2018.
Open source URL -
[7]
US-CERT APT Energy Oct 2017
US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
Open source URL -
[8]
Rapid7
Condon, Caitlin. (2022, April 24). PetitPotam: Novel Attack Chain Can Fully Compromise Windows Domains. Retrieved May 30, 2025.
Open source URL -
[9]
GitHub
topotam. (2021, July 18). PetitPotam. PoC tool to coerce Windows hosts to authenticate to other machines. Retrieved May 30, 2025.
Open source URL -
[10]
mitre-attack T1187Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.