T1187: Forced Authentication

Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.

The Server Message Block (SMB) protocol is commonly used in Windows networks for authentication and communication between systems for access to resources and file sharing. When a Windows system attempts to connect to an SMB resource it will automatically attempts to connect to an SMB resource it will automatically attempt to authenticate and send credential information for the current user to the remote system. This behavior is typical in enterprise environments so that users do not need to enter credentials to access network resources.

Web Distributed Authoring and Versioning (WebDAV) is also typically used by Windows systems as a backup protocol when SMB is blocked or fails. WebDAV is an extension of HTTP and will typically operate over TCP ports 80 and 443.

Adversaries may take advantage of this behavior to gain access to user account hashes through forced SMB/WebDAV authentication. An adversary can send an attachment to a user through spearphishing that contains a resource link to an external server controlled by the adversary (i.e. Template Injection), or place a specially crafted file on navigation path for privileged accounts (e.g. .SCF file placed on Desktop) or on a publicly accessible share to be accessed by victim(s). When the user's system access the untrusted resource it will attempt authentication and send information, including the user's hashed credentials, over SMB to the adversary controlled server. With access to the credential hash, an adversary can perform off-line Brute Force cracking to gain access to plaintext credentials.

There are several different ways this can occur. Some specifics form in-the-wild use include:

· A spearphishing attachment containing a document with a resource that is automatically loaded when the document is opened (i.e. Template Injection). The document con include, for example, a request similar to file[:]//[remote address]/Normal.dotm to trigger the SMB request.

· A modified .LNK or .SCF file with the icon filename pointing to an external reference such as \[remote address]\pic.png that will force the system to load the resource when the icon is rendered to repeatedly gather credentials.

Example:

A very easy way to apply this technique is just by changing the target of an LNK File (SCF Files are also used) we can have responder running in our attacking machine and wait for our victim to click on our modified LNK file so that it will try and connect and capture a hash, this method will force authentication since the user is tricked to click on our Shortcut link and send us the hashes.

Responder

That way we see that our target tries to use the modified LNK to force the victim to authenticate to our attacking machine.