diff --git a/rules/cross-platform/credential_access_forced_authentication.toml b/rules/cross-platform/credential_access_forced_authentication.toml
new file mode 100644
index 00000000000..3e2459303a0
--- /dev/null
+++ b/rules/cross-platform/credential_access_forced_authentication.toml
@@ -0,0 +1,65 @@
+[metadata]
+creation_date = "2024/07/22"
+integration = ["endpoint", "system"]
+maturity = "production"
+updated_date = "2024/07/22"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies a potential forced authentication. Attackers may attempt to force targets to authenticate to a Linux machine
+controlled by them to capture hashes or enable relay attacks.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.network-*", "logs-system.security-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Active Directory Forced Authentication from Linux Host"
+references = [
+    "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/ms-efsr",
+    "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/ms-rprn",
+    "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/ms-dfsnm",
+    "https://attack.mitre.org/techniques/T1187/",
+]
+risk_score = 47
+rule_id = "c24e9a43-f67e-431d-991b-09cdb83b3c0c"
+setup = """## Setup
+
+This rule uses Elastic Endpoint network events from Linux hosts and system integration events from Domain controllers
+for correlation. Both data should be collected from the hosts for this detection to work.
+"""
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "OS: Linux",
+    "Use Case: Threat Detection",
+    "Tactic: Credential Access",
+    "Data Source: Elastic Defend",
+    "Data Source: Active Directory",
+    "Use Case: Active Directory Monitoring",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+sequence with maxspan=15s
+[network where host.os.type == "linux" and event.action == "connection_attempted" and destination.port == 445] by host.ip
+[authentication where host.os.type == "windows" and event.action == "logged-in" and
+ winlog.event_data.AuthenticationPackageName : "NTLM" and winlog.event_data.SubjectUserSid == "S-1-0-0"] by source.ip
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1187"
+name = "Forced Authentication"
+reference = "https://attack.mitre.org/techniques/T1187/"
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+