Files
Anthropic-Cybersecurity-Skills/skills/hunting-for-ntlm-relay-attacks/references/api-reference.md
T

4.2 KiB

NTLM Relay Attack Detection Reference

Windows Event IDs

Event ID Log Description
4624 Security Successful logon — primary relay detection event
4625 Security Failed logon — may indicate relay attempts
5145 Security Network share object access — named pipe monitoring
4776 Security NTLM credential validation

Event 4624 Fields for Relay Detection

Field Suspicious Value Significance
LogonType 3 (Network) Relay always produces network logon
AuthenticationPackageName NTLMSSP NTLM used instead of Kerberos
LmPackageName NTLM V1 Downgraded to NTLMv1 (very suspicious)
WorkstationName Mismatch with IpAddress Key relay indicator
TargetUserSid S-1-0-0 (NULL SID) Unauthenticated relay attempt
LogonGuid {00000000-...} Empty GUID indicates relay
ImpersonationLevel Impersonation Relay uses impersonation

Suspicious Named Pipes (Event 5145)

Pipe Name Service Relay Target
spoolss Print Spooler PrinterBug/SpoolSample
lsarpc LSA PetitPotam, DFSCoerce
netlogon Netlogon ZeroLogon relay
samr SAM User enumeration
efsrpc EFS PetitPotam
netdfs DFS DFSCoerce
srvsvc Server Service General relay

Splunk Detection Query

index=wineventlog EventCode=4624 Logon_Type=3 Authentication_Package=NTLM
| eval hostname_ip_match=if(Workstation_Name==src_ip OR isnull(Workstation_Name), "match", "mismatch")
| where hostname_ip_match="mismatch"
| stats count values(src_ip) as source_ips values(Workstation_Name) as workstations by Account_Name, Computer
| where count > 3

Elastic EQL Detection (NTLM Relay Against Computer Account)

sequence by winlog.computer_name with maxspan=5s
  [any where event.code == "5145" and
    winlog.event_data.RelativeTargetName in ("spoolss","netdfs","lsarpc","samr","efsrpc","netlogon") and
    winlog.event_data.SubjectUserName != winlog.computer_name]
  [authentication where event.code in ("4624","4625") and
    winlog.event_data.AuthenticationPackageName == "NTLM" and
    winlog.event_data.LogonType == "3" and
    winlog.event_data.TargetUserName : "*$"]

PowerShell Detection

# Query NTLM type 3 logons
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624} |
  Where-Object {
    $_.Properties[8].Value -eq 3 -and
    $_.Properties[14].Value -match 'NTLM'
  } | Select-Object TimeCreated,
    @{N='User';E={$_.Properties[5].Value}},
    @{N='Workstation';E={$_.Properties[11].Value}},
    @{N='SourceIP';E={$_.Properties[18].Value}},
    @{N='AuthPkg';E={$_.Properties[14].Value}}

# Check SMB signing
Get-SmbServerConfiguration | Select-Object RequireSecuritySignature, EnableSecuritySignature

SMB Signing Enforcement

# Enable SMB signing (require on server)
Set-SmbServerConfiguration -RequireSecuritySignature $true -Force

# Group Policy path
# Computer Configuration > Policies > Windows Settings > Security Settings >
# Local Policies > Security Options >
# Microsoft network server: Digitally sign communications (always): Enabled

Common Relay Tools (Detection Signatures)

Tool Network Signature
Responder LLMNR/NBT-NS responses from non-authoritative source
ntlmrelayx Rapid sequential NTLM auth from single source IP
PetitPotam EFS RPC calls to \attacker\share via lsarpc pipe
PrinterBug RPC call to spoolss pipe targeting attacker listener
mitm6 DHCPv6 responses with rogue DNS server

MITRE ATT&CK Mapping

  • T1557.001 — Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
  • T1187 — Forced Authentication
  • T1003.001 — OS Credential Dumping: LSASS Memory
  • TA0006 — Credential Access (Tactic)

Response Checklist

  1. Enable SMB signing on all domain hosts via GPO
  2. Disable LLMNR: Set-DnsClientGlobalSetting -SuffixSearchList @("")
  3. Disable NBT-NS in network adapter advanced settings
  4. Enable Extended Protection for Authentication (EPA)
  5. Enforce NTLMv2 and deny NTLMv1: LmCompatibilityLevel = 5
  6. Deploy SMB signing GPO: RequireSecuritySignature = 1