Microsoft Defender for Identity Alert Details
Alert ID: MDI-FORCED-AUTH-1187-7842 Alert Time: 2024-02-22 11:30:22 EST Severity: HIGH (85/100) Source: Microsoft Defender for Identity Rule: “Suspicious Network Connection – Potentially Forced Authentication” MITRE ATT&CK: T1187 – Forced Authentication
Alert Details:
Detection: Outbound SMB connection to attacker-controlled server (potentially for NTLM relay)
Host: ENG-WS-078 (Engineering Workstation) User: alexchen (Alex Chen, Engineer) Time: 11:25 EST
Connection Details:
Source: 192.168.78.45 (ENG-WS-078)
Destination: 185.143.221[.]89:445 (SMB)
Protocol: SMB (Server Message Block)
Authentication: NTLMv2 (initiated by client)
Status: Connection established
Process Details:
Process: explorer.exe (PID: 2341)
Thread: Opened file from UNC path: \185.143.221[.]89\share\document.pdf
User: alexchen (authenticating automatically)
Additional Events:
11:24: User received email with link: file://\\185.143.221[.]89\share\document.pdf
11:24: User clicked link
11:25: Explorer.exe attempted to connect to remote SMB share
11:25: NTLM authentication initiated (user’s credentials sent)
11:25: MDI detects suspicious outbound SMB
Detection Logic:
Outbound SMB to external IP (unusual – SMB typically internal)
Destination IP known for malicious activity
User initiated connection via file:// link
Pattern matches “forced authentication” (NTLM relay) attack
Threat Intelligence:
IP 185.143.221[.]89 known for NTLM relay attacks
Technique: Force user to authenticate to attacker server
Attacker relays NTLM hash to authenticate to other services
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify MDI alert
Microsoft Defender for Identity
Confirmed forced authentication attempt
2. Network Block
Block outbound SMB to external IP
Palo Alto Firewall
SMB to 185.143.221[.]89 blocked
3. User Notification
Contact user immediately
Teams, Phone
User warned; credential reset initiated
4. Credential Reset
Reset user password
Azure AD, AD
Password reset; MFA enforced
5. Relay Check
Check if credentials were used elsewhere
Azure AD Logs, SIEM
No subsequent logins from attacker IP
6. Email Investigation
Find source email
Proofpoint, Exchange
Email quarantined; sender blocked
Jira Incident Report
Ticket: SOC-2024-113 Summary: T1187 – Forced Authentication Attempt via Malicious SMB Link Status: RESOLVED Resolution: MALICIOUS – Authentication Blocked Priority: P2 – MEDIUM Labels: T1187, forced-authentication, ntlm-relay, mdi, phishing Components: Network-Security, Identity-Management
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Microsoft Defender for Identity.
Alert: “Suspicious Network Connection – Potentially Forced Authentication”.
Host: ENG-WS-078 (Engineering Department, user alexchen).
Destination: 185.143.221[.]89:445 (SMB).
Time: 2024-02-22 11:30 EST.
Technique: MITRE ATT&CK T1187 – Forced Authentication.
2. Technical Analysis:
Attack Chain:
11:20 – User receives phishing email from “security@company-update[.]net”
11:21 – Email contains link: file://\\185.143.221[.]89\share\document.pdf
11:22 – User clicks link (expecting PDF document)
11:22 – Windows Explorer attempts to connect to remote SMB share
11:22 – NTLM authentication automatically triggered (user’s credentials sent)
11:23 – Connection established to attacker server
11:23 – Attacker receives NTLM hash
11:25 – MDI detects and alerts
Forced Authentication Technique:
Method: File:// link to remote SMB share
Why it works: Windows automatically sends current user credentials when accessing network resources
Attacker Goal: Capture NTLM hash for relay or offline cracking
Attacker Capabilities with NTLM Hash:
Could relay to other services (if SMB signing not required)
Could attempt offline cracking (weak password)
Could use for Pass-the-Hash attacks
User Password Strength:
Password: “Summer2024!” (moderate complexity)
Crackable offline (estimated 2-3 days)
3. Investigation Findings:
Timeline:
11:20 – Phishing email received
11:22 – User clicks link
11:22-11:23 – NTLM hash sent
11:25 – MDI alert
11:27 – SOC investigates
11:28 – User contacted
11:29 – SMB blocked
11:30 – Password reset initiated
Indicators of Compromise (IoCs):
Network:
– Attacker SMB server: 185.143.221[.]89:445
– SMB share: \\185.143.221[.]89\share\
Email:
– Sender: security@company-update[.]net
– Link: file://\\\\185.143.221[.]89\share\document.pdf
User:
– alexchen (credentials potentially compromised)
4. Containment Actions:
Immediate Actions:
Blocked outbound SMB to external IP at firewall.
Reset user password.
Enforced MFA (if not already enabled).
Quarantined email from all mailboxes.
Credential Monitoring:
Checked Azure AD logs for any logins from attacker IP (none).
Checked for any suspicious activity using alexchen account (none).
User Remediation:
User educated on file:// links and forced authentication risks.
5. Root Cause Analysis:
Primary Cause: User clicked malicious file:// link in phishing email.
Contributing Factors:
Outbound SMB allowed to internet (should be blocked).
User unaware of forced authentication technique.
NTLM enabled (legacy protocol).
6. Business Impact:
Operational Impact: Engineer offline for 1 hour (password reset).
Data Exposure: NTLM hash captured; password reset before cracking.
7. Remediation & Prevention:
Completed Actions:
Password reset.
SMB blocked.
User educated.
Technical Controls Enhanced:
Blocked outbound SMB to internet (firewall rule).
Disabled NTLM where possible (migrated to Kerberos).
Enabled SMB signing to prevent relay.
Created email filtering rule for file:// links.
8. Conclusion:
An attacker used a phishing email with a file:// SMB link to force a user to authenticate to an external server, capturing their NTLM hash. MDI detected the outbound SMB connection, enabling password reset before the hash could be cracked or relayed.
Closure Rationale: Password reset; SMB blocked; user educated.
Analyst: [Walter White], SOC Analyst Date: 2024-02-22 12:30 EST