Skip to content

Add rule: potential NTLM authentication coercion tool execution#6111

Open
ashish-cybersec wants to merge 1 commit into
SigmaHQ:masterfrom
ashish-cybersec:detect-ntlm-coercion-tool-execution
Open

Add rule: potential NTLM authentication coercion tool execution#6111
ashish-cybersec wants to merge 1 commit into
SigmaHQ:masterfrom
ashish-cybersec:detect-ntlm-coercion-tool-execution

Conversation

@ashish-cybersec

Copy link
Copy Markdown

Summary of the Pull Request

new: Adds a rule to detect execution of NTLM authentication coercion tools (DFSCoerce, ShadowCoerce, WSPCoerce, Coercer) that abuse Windows RPC interfaces to force a target machine to authenticate outbound to an attacker-controlled listener. Complements the existing SMB relay tools rule by covering the coercion phase. Zero existing coverage in the repository for these tools.

Changelog

new: Potential NTLM Authentication Coercion Tool Execution

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions Bot added Rules Review Needed The PR requires review Windows Pull request add/update windows related rules labels Jul 5, 2026
@ashish-cybersec ashish-cybersec changed the title Add files via uploaAdd rule: potential NTLM authentication coercion tool executiond Add rule: potential NTLM authentication coercion tool execution Jul 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Review Needed The PR requires review Rules Windows Pull request add/update windows related rules

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant