This note documents detection patterns related to LDAP Relay within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4624 | Successful logon | High | Authentication relayed to LDAP service. |
| Security | 4672 | Special privileges assigned | High | Privileged account authenticated via relay. |
| Security | 4662 | Directory object accessed | Critical | LDAP modification or enumeration performed via relayed authentication. |
| Sysmon | 3 | Network connection | High | LDAP connections to domain controllers (389 / 636). |
| Sysmon | 1 | Process creation | Medium | Execution of relay tooling. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Unexpected LDAP modifications | Directory changes performed by machine accounts | Critical | Typical relay exploitation. |
| Authentication without Kerberos | NTLM authentication to LDAP | High | Common relay scenario. |
| LDAP traffic spike | Multiple LDAP operations from unusual host | High | Automated relay behavior. |
Common Tools
| Tool | Usage |
|---|---|
| Impacket ntlmrelayx | Relays NTLM authentication to LDAP services. |
| Responder | Captures NTLM credentials. |
| Coercer | Triggers forced authentication for relay. |
| CrackMapExec | Supports relay-based attacks. |
Relevant Artifacts
- Security logs (4624, 4672, 4662)
- LDAP query logs
- Network logs for ports 389 / 636
- Sysmon process and network telemetry
- EDR telemetry
MITRE ATT&CK References
- T1557 Adversary-in-the-Middle
- T1557.001 NTLM Relay
Decision Tree
- Detect NTLM authentication to LDAP.
- Identify source host initiating relay.
- Inspect LDAP operations performed.
- Verify privileges of authenticated account.
- Determine persistence or privilege escalation outcome.
Example Detection Templates
KQL
SecurityEvent
| where EventID == 4662
EQL
network where destination.port in (389,636)
Sigma
title: LDAP Relay Activity
logsource:
product: windows
service: security
detection:
selection:
EventID: 4662
condition: selection
level: high
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| LDAP signing | Require LDAP signing | Critical | Prevents NTLM relay. |
| Channel binding | Enable LDAP channel binding | High | Stops relay exploitation. |
| Monitoring | Alert on unusual LDAP operations | High | Detects exploitation attempts. |