Forced Authentication (T1187)

View on ATT&CK

In Playbook

Technique & Subtechniques

  • Forced Authentication

Associated Tactics

  • Credential Access

Credential Access (TA0006)

The adversary is trying to steal account names and passwords. Credential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals.

View on ATT&CK

Procedure Examples

Description Source(s)
Cylance. (2015, April 13). Redirect to SMB. Retrieved December 21, 2017. Cylance Redirect to SMB
Dunning, J. (2016, August 1). Hashjacking. Retrieved December 21, 2017. GitHub Hashjacking
Microsoft. (n.d.). Managing WebDAV Security (IIS 6.0). Retrieved December 21, 2017. Microsoft Managing WebDAV Security
Osanda Malith Jayathissa. (2017, March 24). Places of Interest in Stealing NetNTLM Hashes. Retrieved January 26, 2018. Osanda Stealing NetNTLM Hashes
Stevens, D. (2017, November 13). WebDAV Traffic To Malicious Sites. Retrieved December 21, 2017. Didier Stevens WebDAV Traffic
US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017. US-CERT APT Energy Oct 2017
Wikipedia. (2017, December 16). Server Message Block. Retrieved December 21, 2017. Wikipedia Server Message Block