NTLM Relay Detection API Reference
MITRE ATT&CK Mapping
| Technique |
ID |
Description |
| LLMNR/NBT-NS Poisoning and SMB Relay |
T1557.001 |
Poisoning name resolution to capture and relay NTLM auth |
| Forced Authentication |
T1187 |
Coercing systems to authenticate (PetitPotam, PrinterBug) |
| Adversary-in-the-Middle |
T1557 |
Parent technique for relay and poisoning attacks |
| Exploitation for Credential Access |
T1212 |
Exploiting protocol weaknesses for credential theft |
Windows Security Event IDs for NTLM Relay Detection
| Event ID |
Log |
Relay Significance |
| 4624 (Type 3) |
Security |
Network logon -- primary relay detection event. Check IP vs WorkstationName |
| 4625 |
Security |
Failed logon -- relay failures leave traces here |
| 4648 |
Security |
Explicit credential logon -- may appear in some relay scenarios |
| 4776 |
Security |
NTLM credential validation on domain controller |
| 8001 |
NTLM Operational |
NTLM client blocked audit |
| 8002 |
NTLM Operational |
NTLM server blocked audit |
| 8003 |
NTLM Operational |
NTLM server blocked in domain |
| 8004 |
NTLM Operational |
NTLM authentication to DC audit (critical for inventory) |
Event 4624 Key Fields for Relay Detection
| Field |
Normal Value |
Relay Indicator |
| LogonType |
3 |
Always 3 for network relay |
| AuthenticationPackageName |
NTLM |
Must be NTLM (Kerberos cannot be relayed) |
| LmPackageName |
NTLM V2 |
NTLM V1 indicates downgrade attack |
| WorkstationName |
Victim hostname |
Name of victim machine (not the relay host) |
| IpAddress |
Victim IP |
Attacker/relay IP (MISMATCH = relay indicator) |
| LogonProcessName |
NtLmSsp |
Standard for NTLM logon |
| ImpersonationLevel |
Delegation/Impersonation |
High privilege relay |
SMB Signing Registry Keys
| Registry Path |
Value |
Secure Setting |
| HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature |
REG_DWORD |
1 (Required) |
| HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature |
REG_DWORD |
1 (Enabled) |
| HKLM\SYSTEM\CurrentControlSet\Services\LanManWorkstation\Parameters\RequireSecuritySignature |
REG_DWORD |
1 (Required) |
LDAP Signing Registry Keys (Domain Controllers)
| Registry Path |
Value |
Meaning |
| HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity |
0 |
None (Vulnerable) |
|
1 |
Negotiate (Default - Vulnerable) |
|
2 |
Required (Secure) |
| HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\LdapEnforceChannelBinding |
0 |
Disabled (Vulnerable) |
|
1 |
When Supported |
|
2 |
Always Required (Secure) |
NTLM Configuration Registry Keys
| Registry Path |
Value |
Meaning |
| HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LmCompatibilityLevel |
0 |
Send LM & NTLM (Most Vulnerable) |
|
1 |
Send LM & NTLM, NTLMv2 session if negotiated |
|
2 |
Send NTLM only |
|
3 |
Send NTLMv2 only (Recommended minimum) |
|
4 |
Send NTLMv2 only, refuse LM |
|
5 |
Send NTLMv2 only, refuse LM & NTLM (Most Secure) |
| HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\EnableMulticast |
0 |
LLMNR Disabled (Secure) |
|
1 |
LLMNR Enabled (Vulnerable to Responder) |
Network Indicators
| Protocol |
Port |
Attack Role |
| UDP |
5355 |
LLMNR -- Responder poisoning target |
| UDP |
137 |
NBT-NS -- Responder poisoning target |
| UDP |
5353 |
mDNS -- Responder poisoning target |
| TCP |
445 |
SMB -- relay target (if signing not enforced) |
| TCP |
389 |
LDAP -- relay target (if signing not enforced) |
| TCP |
636 |
LDAPS -- relay target (if channel binding not enforced) |
| TCP |
80/443 |
HTTP(S) -- relay target for AD CS enrollment |
| TCP |
135 |
RPC -- used for coercion (PetitPotam, PrinterBug) |
Coercion Methods
| Method |
Protocol |
Vulnerability |
Target |
| PetitPotam |
MS-EFSRPC |
CVE-2021-36942 |
Domain controllers -> AD CS |
| DFSCoerce |
MS-DFSNM |
N/A |
Domain controllers |
| PrinterBug (SpoolSample) |
MS-RPRN |
By design |
Any host with Print Spooler |
| ShadowCoerce |
MS-FSRVP |
N/A |
Hosts with File Server VSS Agent |
Splunk SPL - NTLM Relay Detection Queries
KQL - Microsoft Sentinel Queries
python-evtx - Parse Security EVTX
References