mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-14 03:15:16 +03:00
114 lines
4.2 KiB
Markdown
114 lines
4.2 KiB
Markdown
# NTLM Relay Attack Detection Reference
|
|
|
|
## Windows Event IDs
|
|
|
|
| Event ID | Log | Description |
|
|
|----------|-----|-------------|
|
|
| 4624 | Security | Successful logon — primary relay detection event |
|
|
| 4625 | Security | Failed logon — may indicate relay attempts |
|
|
| 5145 | Security | Network share object access — named pipe monitoring |
|
|
| 4776 | Security | NTLM credential validation |
|
|
|
|
## Event 4624 Fields for Relay Detection
|
|
|
|
| Field | Suspicious Value | Significance |
|
|
|-------|-----------------|--------------|
|
|
| LogonType | 3 (Network) | Relay always produces network logon |
|
|
| AuthenticationPackageName | NTLMSSP | NTLM used instead of Kerberos |
|
|
| LmPackageName | NTLM V1 | Downgraded to NTLMv1 (very suspicious) |
|
|
| WorkstationName | Mismatch with IpAddress | Key relay indicator |
|
|
| TargetUserSid | S-1-0-0 (NULL SID) | Unauthenticated relay attempt |
|
|
| LogonGuid | {00000000-...} | Empty GUID indicates relay |
|
|
| ImpersonationLevel | Impersonation | Relay uses impersonation |
|
|
|
|
## Suspicious Named Pipes (Event 5145)
|
|
|
|
| Pipe Name | Service | Relay Target |
|
|
|-----------|---------|-------------|
|
|
| `spoolss` | Print Spooler | PrinterBug/SpoolSample |
|
|
| `lsarpc` | LSA | PetitPotam, DFSCoerce |
|
|
| `netlogon` | Netlogon | ZeroLogon relay |
|
|
| `samr` | SAM | User enumeration |
|
|
| `efsrpc` | EFS | PetitPotam |
|
|
| `netdfs` | DFS | DFSCoerce |
|
|
| `srvsvc` | Server Service | General relay |
|
|
|
|
## Splunk Detection Query
|
|
|
|
```spl
|
|
index=wineventlog EventCode=4624 Logon_Type=3 Authentication_Package=NTLM
|
|
| eval hostname_ip_match=if(Workstation_Name==src_ip OR isnull(Workstation_Name), "match", "mismatch")
|
|
| where hostname_ip_match="mismatch"
|
|
| stats count values(src_ip) as source_ips values(Workstation_Name) as workstations by Account_Name, Computer
|
|
| where count > 3
|
|
```
|
|
|
|
## Elastic EQL Detection (NTLM Relay Against Computer Account)
|
|
|
|
```eql
|
|
sequence by winlog.computer_name with maxspan=5s
|
|
[any where event.code == "5145" and
|
|
winlog.event_data.RelativeTargetName in ("spoolss","netdfs","lsarpc","samr","efsrpc","netlogon") and
|
|
winlog.event_data.SubjectUserName != winlog.computer_name]
|
|
[authentication where event.code in ("4624","4625") and
|
|
winlog.event_data.AuthenticationPackageName == "NTLM" and
|
|
winlog.event_data.LogonType == "3" and
|
|
winlog.event_data.TargetUserName : "*$"]
|
|
```
|
|
|
|
## PowerShell Detection
|
|
|
|
```powershell
|
|
# Query NTLM type 3 logons
|
|
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624} |
|
|
Where-Object {
|
|
$_.Properties[8].Value -eq 3 -and
|
|
$_.Properties[14].Value -match 'NTLM'
|
|
} | Select-Object TimeCreated,
|
|
@{N='User';E={$_.Properties[5].Value}},
|
|
@{N='Workstation';E={$_.Properties[11].Value}},
|
|
@{N='SourceIP';E={$_.Properties[18].Value}},
|
|
@{N='AuthPkg';E={$_.Properties[14].Value}}
|
|
|
|
# Check SMB signing
|
|
Get-SmbServerConfiguration | Select-Object RequireSecuritySignature, EnableSecuritySignature
|
|
```
|
|
|
|
## SMB Signing Enforcement
|
|
|
|
```powershell
|
|
# Enable SMB signing (require on server)
|
|
Set-SmbServerConfiguration -RequireSecuritySignature $true -Force
|
|
|
|
# Group Policy path
|
|
# Computer Configuration > Policies > Windows Settings > Security Settings >
|
|
# Local Policies > Security Options >
|
|
# Microsoft network server: Digitally sign communications (always): Enabled
|
|
```
|
|
|
|
## Common Relay Tools (Detection Signatures)
|
|
|
|
| Tool | Network Signature |
|
|
|------|------------------|
|
|
| Responder | LLMNR/NBT-NS responses from non-authoritative source |
|
|
| ntlmrelayx | Rapid sequential NTLM auth from single source IP |
|
|
| PetitPotam | EFS RPC calls to \\attacker\share via lsarpc pipe |
|
|
| PrinterBug | RPC call to spoolss pipe targeting attacker listener |
|
|
| mitm6 | DHCPv6 responses with rogue DNS server |
|
|
|
|
## MITRE ATT&CK Mapping
|
|
|
|
- **T1557.001** — Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
|
|
- **T1187** — Forced Authentication
|
|
- **T1003.001** — OS Credential Dumping: LSASS Memory
|
|
- **TA0006** — Credential Access (Tactic)
|
|
|
|
## Response Checklist
|
|
|
|
1. Enable SMB signing on all domain hosts via GPO
|
|
2. Disable LLMNR: `Set-DnsClientGlobalSetting -SuffixSearchList @("")`
|
|
3. Disable NBT-NS in network adapter advanced settings
|
|
4. Enable Extended Protection for Authentication (EPA)
|
|
5. Enforce NTLMv2 and deny NTLMv1: `LmCompatibilityLevel = 5`
|
|
6. Deploy SMB signing GPO: `RequireSecuritySignature = 1`
|