This note documents detection patterns related to DFSCoerce within Active Directory environments.

Direct Indicators

Log	Event ID	Meaning	Forensic Value	Notes
Security	4776	NTLM authentication	Critical	Machine account authentication triggered via MS-DFSNM coercion.
Security	4624	Successful logon	High	Authentication event from coerced host.
Security	4769	Kerberos service ticket request	Medium	Service ticket activity following coerced authentication.
Security	5140	Network share accessed	Medium	SMB authentication events triggered by coercion.
Sysmon	3	Network connection	Critical	Outbound SMB or HTTP connection from coerced host to attacker-controlled relay system.
Sysmon	1	Process creation	Medium	Execution of DFSCoerce tool triggering authentication.

Indirect Indicators

Indicator	What To Look For	Forensic Value	Notes
Machine account authentication	Computer account authenticating unexpectedly to remote host	Critical	Typical behavior after coercion.
Domain controller outbound authentication	DC initiating authentication to attacker system	Critical	Highly suspicious behavior.
NTLM authentication followed by relay activity	Authentication used immediately for NTLM relay	High	Common attack chain.
Execution of coercion tools	Processes related to DFSCoerce exploitation	Critical	Direct evidence of attack activity.
SMB connection to attacker host	Coerced host connecting to unusual destination	High	Indicates forced authentication.

Common Tools

Tool	Usage
DFSCoerce	Exploits MS-DFSNM protocol to force machine authentication.
ntlmrelayx	Relays coerced NTLM authentication to target services.
Coercer	Framework automating coercion attacks.
CrackMapExec	Used with relay attacks to escalate privileges.
Impacket	Provides relay and authentication abuse capabilities.

Relevant Artifacts

Domain controller Security logs (4624, 4776, 4769)
SMB authentication logs
Network traffic logs showing outbound authentication
Sysmon logs (1, 3)
EDR telemetry identifying coercion tools
Prefetch artifacts for DFSCoerce execution
NTLM relay logs
Authentication logs on relay targets

MITRE ATT&CK References

T1187 Forced Authentication
T1557 Adversary-in-the-Middle
T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay

Decision Tree

Is the suspicious event present?
- Identify machine account authentication events.
What host generated the event?
- Determine which server initiated authentication.
Is the authentication expected?
- Investigate whether system normally authenticates externally.
Pivot:
- Source host → inspect execution of DFSCoerce or coercion tools.
- Destination host → analyze relay attempts.
- Network → inspect SMB authentication flows.
Confirm exploitation
- Determine whether coerced authentication was relayed for privilege escalation.

Example Detection Templates

KQL

SecurityEvent
| where EventID == 4776
| where TargetUserName endswith "$"

DeviceNetworkEvents
| where RemotePort in (445,80,443)
| summarize count() by RemoteIP, InitiatingProcessAccountName, bin(TimeGenerated,5m)

EQL

any where event.code == "4776"

Sigma

title: Suspicious Machine Account Authentication via DFSCoerce
id: dfscoerce-detection
status: experimental
description: Detects machine account authentication possibly caused by DFSCoerce coercion
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID: 4776
  condition: selection
fields:
  - TargetUserName
  - Workstation
falsepositives:
  - Legitimate machine authentication
level: medium
tags:
  - attack.lateral_movement
  - attack.t1187

Mitigation & Hardening

Control Area	Mitigation	Effectiveness	Notes
NTLM restrictions	Disable or restrict NTLM authentication	Critical	Prevents relay exploitation.
SMB signing	Require SMB signing across domain	High	Stops NTLM relay attacks.
Patch management	Apply security updates addressing DFS protocol abuse	High	Reduces attack surface.
Monitoring	Alert on machine account outbound authentication	High	Detects coercion attempts.
Network segmentation	Limit SMB communication between systems	Medium	Reduces relay opportunities.