This note documents detection patterns related to Coercer within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4776 | NTLM authentication | Critical | Machine account authentication triggered by coercion frameworks. |
| Security | 4624 | Successful logon | High | Authentication event generated after coerced connection. |
| Security | 4769 | Kerberos service ticket request | Medium | Service ticket activity after forced authentication. |
| Security | 5140 | Network share accessed | Medium | SMB authentication events triggered by coercion attempt. |
| Sysmon | 3 | Network connection | Critical | Outbound SMB or HTTP connection from coerced system to attacker relay host. |
| Sysmon | 1 | Process creation | High | Execution of coercion framework such as Coercer.py. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Machine account authenticating externally | Computer account authenticating to unexpected host | Critical | Classic sign of forced authentication attack. |
| Domain controller outbound authentication | DC initiating outbound SMB/HTTP authentication | Critical | Very strong indicator of coercion attempt. |
| Authentication immediately followed by relay activity | Authentication reused against another service | High | Indicates NTLM relay chain. |
| Execution of coercion framework | Process execution of coercion utilities | Critical | Direct evidence of exploitation attempt. |
| Outbound SMB from servers | Servers authenticating to unknown machines | High | Possible forced authentication scenario. |
Common Tools
| Tool | Usage |
|---|---|
| Coercer | Framework automating multiple forced authentication techniques. |
| ntlmrelayx | Relays coerced authentication to other services. |
| Impacket | Provides SMB and NTLM relay tooling. |
| CrackMapExec | Used in relay attack chains. |
| Custom coercion scripts | Trigger authentication using vulnerable RPC protocols. |
Relevant Artifacts
- Domain controller Security logs (4624, 4776, 4769)
- SMB authentication logs
- Network traffic logs showing outbound authentication
- Sysmon logs (1, 3)
- EDR telemetry identifying coercion frameworks
- Prefetch artifacts for coercion tooling
- NTLM relay artifacts
- Authentication logs on relay targets
MITRE ATT&CK References
- T1187 Forced Authentication
- T1557 Adversary-in-the-Middle
- T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay
Decision Tree
- Is the suspicious event present?
- Identify machine account authentication events.
- What host generated the event?
- Determine which system initiated authentication.
- Is the authentication expected?
- Investigate whether system normally authenticates to destination.
- Pivot:
- Source host → inspect execution of coercion frameworks.
- Destination host → analyze relay attempts.
- Network → inspect SMB/HTTP authentication flows.
- Confirm exploitation
- Determine whether coerced authentication was relayed to escalate privileges.
Example Detection Templates
KQL
SecurityEvent
| where EventID == 4776
| where TargetUserName endswith "$"
DeviceNetworkEvents
| where RemotePort in (445,80,443)
| summarize count() by RemoteIP, InitiatingProcessAccountName, bin(TimeGenerated,5m)
EQL
any where event.code == "4776"
Sigma
title: Suspicious Machine Account Authentication Possibly Caused by Coercion
id: coercer-framework-detection
status: experimental
description: Detects machine account authentication that may indicate forced authentication attacks
logsource:
product: windows
service: security
detection:
selection:
EventID: 4776
condition: selection
fields:
- TargetUserName
- Workstation
falsepositives:
- Legitimate machine authentication
level: medium
tags:
- attack.lateral_movement
- attack.t1187
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| NTLM restrictions | Disable or restrict NTLM authentication | Critical | Prevents relay exploitation. |
| SMB signing | Require SMB signing across domain | High | Stops NTLM relay. |
| Protocol hardening | Disable vulnerable RPC interfaces where possible | High | Reduces coercion attack surface. |
| Monitoring | Alert on machine account outbound authentication | High | Detects coercion attempts. |
| Network segmentation | Limit SMB/HTTP communication between servers | Medium | Reduces relay opportunities. |