This note documents detection patterns related to ShadowCoerce within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4776 | NTLM authentication | Critical | Machine account authentication triggered via MS-FSRVP coercion. |
| Security | 4624 | Successful logon | High | Authentication event from coerced host after forced authentication. |
| Security | 4769 | Kerberos service ticket request | Medium | Service ticket activity following coerced authentication. |
| Security | 5140 | Network share accessed | Medium | SMB authentication events triggered by coercion attempt. |
| Sysmon | 3 | Network connection | Critical | Outbound SMB or HTTP connection from coerced host to attacker-controlled relay system. |
| Sysmon | 1 | Process creation | Medium | Execution of ShadowCoerce or related coercion tools. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Unexpected machine account authentication | Computer account authenticating to unknown host | Critical | Typical outcome of coercion attacks. |
| Domain controller outbound authentication | DC initiating SMB/HTTP authentication to external system | Critical | Highly suspicious behavior. |
| NTLM authentication followed by relay activity | Authentication immediately used against another service | High | Classic NTLM relay chain. |
| Execution of coercion tooling | Processes associated with ShadowCoerce exploitation | Critical | Direct evidence of attack execution. |
| Outbound authentication from servers | Servers authenticating to unknown machines | High | Possible forced authentication attempt. |
Common Tools
| Tool | Usage |
|---|---|
| ShadowCoerce | Exploits MS-FSRVP protocol to force machine authentication. |
| ntlmrelayx | Relays coerced NTLM authentication to other services. |
| Coercer | Framework automating coercion attacks. |
| CrackMapExec | Used together with relay attacks. |
| Impacket | Provides relay and authentication abuse capabilities. |
Relevant Artifacts
- Domain controller Security logs (4624, 4776, 4769)
- SMB authentication logs
- Network traffic logs showing outbound authentication
- Sysmon logs (1, 3)
- EDR telemetry identifying coercion tools
- Prefetch artifacts for ShadowCoerce execution
- NTLM relay logs
- Authentication logs on relay targets
MITRE ATT&CK References
- T1187 Forced Authentication
- T1557 Adversary-in-the-Middle
- T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay
Decision Tree
- Is the suspicious event present?
- Identify machine account authentication events.
- What host generated the event?
- Determine which system initiated authentication.
- Is the authentication expected?
- Investigate whether the system normally authenticates to that destination.
- Pivot:
- Source host → inspect execution of ShadowCoerce or coercion tooling.
- Destination host → analyze relay attempts.
- Network → inspect SMB/HTTP authentication flows.
- Confirm exploitation
- Determine whether coerced authentication was relayed for privilege escalation.
Example Detection Templates
KQL
SecurityEvent
| where EventID == 4776
| where TargetUserName endswith "$"
DeviceNetworkEvents
| where RemotePort in (445,80,443)
| summarize count() by RemoteIP, InitiatingProcessAccountName, bin(TimeGenerated,5m)
EQL
any where event.code == "4776"
Sigma
title: Suspicious Machine Account Authentication via ShadowCoerce
id: shadowcoerce-detection
status: experimental
description: Detects machine account authentication possibly caused by ShadowCoerce coercion
logsource:
product: windows
service: security
detection:
selection:
EventID: 4776
condition: selection
fields:
- TargetUserName
- Workstation
falsepositives:
- Legitimate machine authentication
level: medium
tags:
- attack.lateral_movement
- attack.t1187
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| NTLM restrictions | Disable or restrict NTLM authentication | Critical | Prevents relay exploitation. |
| SMB signing | Require SMB signing across domain | High | Prevents NTLM relay attacks. |
| Patch management | Apply updates addressing FSRVP abuse | High | Reduces attack surface. |
| Monitoring | Alert on machine account outbound authentication | High | Detects coercion attempts. |
| Network segmentation | Limit SMB communication between servers | Medium | Reduces relay opportunities. |