Hunting for NTLM Relay Attacks

The NTLM Relay Attack exploits a vulnerability in the NTLM protocol, where attackers relay NTLM authentication attempts to gain unauthorized access to systems. It is effective in environments where SMB signing is not enforced and NTLM authentication is enabled.

Attack Overview

  1. Prerequisites:

    • SMB Signing Disabled: Ensures requests can be relayed without integrity checks.

    • Responder Tool: Listens for LLMNR/NBT-NS requests and captures NTLM hashes.

    • ntlmrelayx Tool: Relays captured credentials to a target machine with SMB signing disabled.

  2. Steps:

    • The attacker sets up Responder to capture NTLM authentication requests.

    • The user (e.g., jonsnow) tries to access a non-existent share (e.g., \\192.168.230.100\Sare).

    • The attacker captures the NTLM challenge/response and relays it using ntlmrelayx to another vulnerable target (e.g., WORKSTATION-01).

    • Once authenticated, the attacker can dump hashes or perform lateral movement.

Detection

Key Event Logs to Monitor

  1. Event ID 4624: Successful Logon Event

    • Target Machine: Logs successful logon events for relayed connections.

    • Mismatch Detection:

      • Source Network Address: Shows the attacker's machine IP.

      • Workstation Name: Shows the original user's workstation (e.g., WORKSTATION-02).

Log Analysis Example

Logon Event from Target Machine (WORKSTATION-01):

Event ID: 4624
Logon Type: 3 (Network)
Subject Account: jonsnow
Source Network Address: 192.168.230.129 (Attacker's IP)
Workstation Name: WORKSTATION-02

  • Anomaly:

    • The Source Network Address is different from the Workstation Name.

    • This indicates an NTLM relay attack.

Detection Logic

To automate detection:

  1. Cross-reference IP and Hostname Mismatch:

    • Compare the Source Network Address with the Workstation Name.

    • Use a known list of IP-hostname mappings to validate legitimate logon events.

  2. SIEM Queries:

    • Create correlation rules to flag events where:

      • Source Network AddressWorkstation Name IP.

      • Logon Type is 3 (Network).

      • User account is being used across multiple systems unusually.

Example Query (SIEM):

index=security_logs EventID=4624 LogonType=3 
| where SourceNetworkAddress != ExpectedWorkstationIP

Mitigation Steps

  1. Enforce SMB Signing:

    • Ensure that SMB signing is enabled and required on all systems.

    • This prevents NTLM relay attacks as unsigned SMB packets cannot be relayed.

  2. Disable NTLM:

    • Transition to Kerberos for authentication.

    • Disable NTLM where feasible using Group Policy:

      Network security: Restrict NTLM: Incoming NTLM traffic = Deny all accounts

  3. Enable Extended Protection for Authentication (EPA):

    • Use EPA to secure NTLM against relay attacks by enforcing secure channel binding.

  4. Monitor and Audit NTLM Usage:

    • Continuously audit NTLM logon events and monitor for anomalous patterns.

  5. Restrict LLMNR and NBT-NS:

    • Disable LLMNR and NBT-NS protocols to reduce attack surface:

      Set-DnsClientGlobalSetting -EnableLLMNR Off

    • Use DNS for name resolution to avoid fallback to vulnerable protocols.

Key Points

Detecting NTLM Relay Attacks involves monitoring specific patterns in logon events, especially IP-hostname mismatches. Proactive mitigation by enforcing SMB signing, disabling NTLM, and securing name resolution can significantly reduce the risk of such attacks.

PreviousHunting for Golden Ticket AttacksNextWriting a Report on Security Incident

Last updated