5 min read

Fancy NTLM Relay

Deep dive into NTLM relay attacks - understanding the technique, modern variations, and detection strategies for defenders.

ntlm relay active-directory credential-theft detection

Originally published on Medium
Read the full article: Fancy NTLM Relay

What is NTLM Relay?

NTLM relay attacks intercept authentication attempts and forward them to other services, effectively impersonating the victim.

The Attack Flow

  1. Coerce Authentication - Trick target into authenticating
  2. Intercept - Capture the NTLM authentication
  3. Relay - Forward to target service
  4. Profit - Gain access as the victim

Coercion Methods

  • PetitPotam
  • PrinterBug
  • DFSCoerce
  • ShadowCoerce

Relay Targets

  • LDAP/LDAPS
  • SMB
  • HTTP
  • AD CS Web Enrollment

Detection Opportunities

Network Level

index=zeek sourcetype=smb_mapping 
| where src_ip!=dest_ip
| stats count by src_ip, dest_ip, user

Endpoint Level

Look for:

  • Unusual NTLM authentication patterns
  • Anonymous connections from unexpected sources
  • Certificate requests during relay

Mitigations

  • Enable SMB signing
  • Enable LDAP signing/channel binding
  • Disable NTLM where possible
  • Implement Extended Protection for Authentication (EPA)

Read the full deep dive: Fancy NTLM Relay

Related Modules

Active

Atomics on a Friday

Weekly YouTube show exploring atomic tests, detection engineering, and security research. Live demonstrations and deep dives into attack techniques.

youtube atomic-red-team detection education +1
View Module → GitHub
Active

Bootloaders.io

A curated list of known malicious bootloaders for various operating systems. Track and catalog bootloader threats with detection rules and hash prevention.

bootloader bootkit detection defense +1
View Module → GitHub