NTLM Relay Attack Detection Reference
Windows Event IDs
| Event ID |
Log |
Description |
| 4624 |
Security |
Successful logon — primary relay detection event |
| 4625 |
Security |
Failed logon — may indicate relay attempts |
| 5145 |
Security |
Network share object access — named pipe monitoring |
| 4776 |
Security |
NTLM credential validation |
Event 4624 Fields for Relay Detection
| Field |
Suspicious Value |
Significance |
| LogonType |
3 (Network) |
Relay always produces network logon |
| AuthenticationPackageName |
NTLMSSP |
NTLM used instead of Kerberos |
| LmPackageName |
NTLM V1 |
Downgraded to NTLMv1 (very suspicious) |
| WorkstationName |
Mismatch with IpAddress |
Key relay indicator |
| TargetUserSid |
S-1-0-0 (NULL SID) |
Unauthenticated relay attempt |
| LogonGuid |
{00000000-...} |
Empty GUID indicates relay |
| ImpersonationLevel |
Impersonation |
Relay uses impersonation |
Suspicious Named Pipes (Event 5145)
| Pipe Name |
Service |
Relay Target |
spoolss |
Print Spooler |
PrinterBug/SpoolSample |
lsarpc |
LSA |
PetitPotam, DFSCoerce |
netlogon |
Netlogon |
ZeroLogon relay |
samr |
SAM |
User enumeration |
efsrpc |
EFS |
PetitPotam |
netdfs |
DFS |
DFSCoerce |
srvsvc |
Server Service |
General relay |
Splunk Detection Query
Elastic EQL Detection (NTLM Relay Against Computer Account)
PowerShell Detection
SMB Signing Enforcement
Common Relay Tools (Detection Signatures)
| Tool |
Network Signature |
| Responder |
LLMNR/NBT-NS responses from non-authoritative source |
| ntlmrelayx |
Rapid sequential NTLM auth from single source IP |
| PetitPotam |
EFS RPC calls to \attacker\share via lsarpc pipe |
| PrinterBug |
RPC call to spoolss pipe targeting attacker listener |
| mitm6 |
DHCPv6 responses with rogue DNS server |
MITRE ATT&CK Mapping
- T1557.001 — Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
- T1187 — Forced Authentication
- T1003.001 — OS Credential Dumping: LSASS Memory
- TA0006 — Credential Access (Tactic)
Response Checklist
- Enable SMB signing on all domain hosts via GPO
- Disable LLMNR:
Set-DnsClientGlobalSetting -SuffixSearchList @("")
- Disable NBT-NS in network adapter advanced settings
- Enable Extended Protection for Authentication (EPA)
- Enforce NTLMv2 and deny NTLMv1:
LmCompatibilityLevel = 5
- Deploy SMB signing GPO:
RequireSecuritySignature = 1