1. Home
  2. Techniques
  3. Enterprise
  4. 强制身份验证

强制身份验证

强制身份验证是攻击者通过诱导用户自动发起认证请求以窃取凭证的中间人攻击技术,通常利用SMB/WebDAV协议特性实现NTLM哈希截获。防御方可通过监控异常外联SMB流量、分析.LNK/SCF文件元数据以及检测非常用端口的WebDAV活动进行防护,同时限制未经审核的外部资源链接访问权限。

现有强制身份验证匿迹技术的核心演进路径聚焦于协议栈重构、信任链伪造和攻击面稀释三个维度:加密C2通道劫持通过TLS会话封装突破传统明文流量分析体系;协议混淆诱导利用多协议转换技术绕过端口级防御规则;分布式低频收集依托全球化节点网络稀释时空攻击特征;可信服务模拟则通过数字身份克隆实现攻击流量的业务场景融合。这些技术的共性在于突破协议层静态防御机制,通过构建符合正常业务交互范式的攻击链路,使得认证劫持行为在协议合规性、流量特征合法性和操作连续性三个层面均实现深度隐匿。

ID: T1187
Sub-techniques:  No sub-techniques
Tactic: 凭据获取
Platforms: Windows
Contributors: Sudhanshu Chauhan, @Sudhanshu_C; Teodor Cimpoesu
Version: 1.3
Created: 16 January 2018
Last Modified: 15 October 2024

匿迹效应

效应类型 是否存在
特征伪装
行为透明
数据遮蔽
时空释痕

特征伪装

攻击者通过协议转换和云服务接口仿真,将SMB/WebDAV认证流量伪装成HTTPS合法交互。例如在协议混淆诱导中重构HTTP头部封装恶意载荷,或在可信服务模拟中克隆合法云平台API结构,使得攻击流量在协议特征、证书链等维度与正常业务流量高度一致,规避基于协议指纹的检测规则。

数据遮蔽

加密C2通道劫持技术通过TLS/SSL对认证过程实施端到端加密,有效隐藏NTLM哈希传输内容。攻击者使用合法证书加密通信信道,使得网络层防御设备无法解析载荷中的敏感凭证信息,仅能观测到加密流量元数据,显著降低基于内容分析的检测效能。

时空释痕

分布式低频凭证收集技术将攻击流量分散至全球节点网络,通过智能调度实现单节点低频触发。该手法使得认证请求在时间维度呈现长周期离散分布,空间维度覆盖多地域网络环境,传统基于集中式流量聚类或短时窗口统计的检测机制难以有效关联分布式攻击事件。

Procedure Examples

ID Name Description
G0079 DarkHydrus

DarkHydrus used Template Injection to launch an authentication window for users to enter their credentials.[1]
G0035 Dragonfly

Dragonfly has gathered hashed user credentials over SMB using spearphishing attachments with external resource links and by modifying .LNK file icon resources to collect credentials from virtualized systems.[2][3]
S0634 EnvyScout

EnvyScout can use protocol handlers to coax the operating system to send NTLMv2 authentication responses to attacker-controlled infrastructure.[4]

Mitigations

ID Mitigation Description
M1037 Filter Network Traffic

Block SMB traffic from exiting an enterprise network with egress filtering or by blocking TCP ports 139, 445 and UDP port 137. Filter or block WebDAV protocol traffic from exiting the network. If access to external resources over SMB and WebDAV is necessary, then traffic should be tightly limited with allowlisting. [5] [6]
M1027 Password Policies

Use strong passwords to increase the difficulty of credential hashes from being cracked if they are obtained.

Detection

ID Data Source Data Component Detects
DS0022 File File Access

Monitor for access to files that may indicate attempts to coerce a user into providing authentication information.

Analytic 1 - Suspicious access to files known to be used for forced authentication attacks.

index=security sourcetype="WinEventLog:Security" EventCode=4663 ObjectName="\path\to\suspicious\file" | where match(ObjectName, "(?i)\(.*\.)?(lnk|scf|url|doc|dot|xls|ppt|pdf|scf|html)$")
File Creation

Monitor for newly constructed .LNK, .SCF, or any other files on systems and within virtual environments that contain resources that point to external network resources.

Analytic 1 - Creation of suspicious files in locations used for forced authentication attacks.

(index=security sourcetype="WinEventLog:Security" EventCode=4663) OR (index=sysmon sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11) | where match(ObjectName, "(?i)\(.*\.)?(lnk|scf|url|doc|dot|xls|ppt|pdf|html)$")| where match(ObjectName, "(?i)(desktop|public|downloads|temp|cache|start menu|startup)")

File Modification

Monitor for changes made to the .LNK, .SCF, or any other files on systems and within virtual environments that contain resources that point to external network resources.

Analytic 1 - Modifications to files known to be used for forced authentication attacks.

(index=security sourcetype="WinEventLog:Security" EventCode=4663) | where match(ObjectName, "(?i)\(.*\.)?(lnk|scf|url|doc|dot|xls|ppt|pdf|html)$")| where match(ObjectName, "(?i)(desktop|public|downloads|temp|cache|start menu|startup)")
DS0029 Network Traffic Network Traffic Content

For internal traffic, monitor the workstation-to-workstation unusual (vs. baseline) SMB traffic. For many networks there should not be any, but it depends on how systems on the network are configured and where resources are located.

Analytic 1 - Detection of NTLM hash traffic or other suspicious authentication traffic.

index=network sourcetype="stream:tcp" (dest_port=445 OR dest_port=80 OR dest_port=443) | eval Protocol=case(dest_port==445, "SMB", dest_port==80, "HTTP", dest_port==443, "HTTPS", true(), "Unknown")| search (command IN ("NTLMSSP_NEGOTIATE", "NTLMSSP_AUTH")) | eval SuspiciousAuth=case( match(_raw, "NTLMSSP_NEGOTIATE"), "NTLM Negotiate", match(_raw, "NTLMSSP_AUTH"), "NTLM Authentication", true(), "Unknown")
Network Traffic Flow

Monitor for SMB traffic on TCP ports 139, 445 and UDP port 137 and WebDAV traffic attempting to exit the network to unknown external systems.If attempts are detected, then investigate endpoint data sources to find the root cause.

Analytic 1 - Unusual network traffic patterns indicative of forced authentication attempts.

index=network sourcetype="stream:tcp" (dest_port=445 OR dest_port=80 OR dest_port=443)| eval Protocol=case(dest_port==445, "SMB", dest_port==80, "HTTP", dest_port==443, "HTTPS", true(), "Unknown")| eval SuspiciousConn=if((Protocol="SMB" AND src_ip!=dest_ip AND (src_ip!="known_ip1" AND dest_ip!="known_ip2")), 1, 0)| where SuspiciousConn=1

References

  1. Falcone, R. (2018, August 07). DarkHydrus Uses Phishery to Harvest Credentials in the Middle East. Retrieved August 10, 2018.
  2. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  3. Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021.
  1. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
  2. US-CERT. (2017, March 16). SMB Security Best Practices. Retrieved December 21, 2017.
  3. US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.