This note documents detection patterns related to NTLM Relay within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4624 | Successful logon | Critical | Look for LogonType 3 (network) from unusual hosts immediately following authentication coercion events. Review IpAddress, WorkstationName, TargetUserName, and AuthenticationPackageName (NTLM). |
| Security | 4625 | Failed logon | Medium | Multiple failed NTLM authentication attempts may precede successful relay attempts. |
| Security | 4776 | NTLM authentication | Critical | Key event for NTLM usage. Review Workstation, Source Workstation, and TargetUserName for unexpected authentication paths. |
| Security | 4672 | Special privileges assigned | High | Privileged logon following NTLM relay may indicate successful privilege escalation. |
| Security | 4688 | Process creation | Medium | Execution of relay tools such as ntlmrelayx.py or responder may appear on compromised host. |
| Sysmon | 1 | Process creation | High | Execution of Responder, ntlmrelayx, or other credential relay tools. |
| Sysmon | 3 | Network connection | Critical | Suspicious SMB/HTTP/LDAP connections between hosts immediately after inbound NTLM authentication. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Authentication coercion preceding NTLM auth | Events such as PrinterBug, PetitPotam, or DFSCoerce causing forced authentication | Critical | Common first step before NTLM relay. |
| NTLM authentication to unexpected service | Authentication to LDAP, SMB, or HTTP service from unusual host | High | Relay often targets LDAP on domain controllers. |
| Multiple authentication attempts from relay server | Single host initiating NTLM authentication on behalf of multiple users | High | Typical relay server behavior. |
| Immediate privileged action after authentication | Creation of machine accounts, ACL modifications, or AD changes | Critical | Indicates successful relay exploitation. |
| New machine account creation | Machine accounts created shortly after NTLM authentication | High | Often used for persistence or further delegation abuse. |
Common Tools
| Tool | Usage |
|---|---|
| Responder | Captures NTLM authentication attempts on network. |
| Impacket ntlmrelayx.py | Relays captured NTLM authentication to other services such as LDAP, SMB, or HTTP. |
| PetitPotam | Coerces domain controllers to authenticate to attacker-controlled host. |
| PrinterBug | Forces target systems to authenticate to attacker via MS-RPRN. |
| Coercer | Framework automating multiple authentication coercion techniques. |
| Cobalt Strike | Used to stage and execute NTLM relay modules. |
Relevant Artifacts
- Windows Security logs (4624, 4625, 4776)
- Sysmon logs (1, 3)
- Network telemetry showing NTLM authentication flows
- SMB and LDAP service logs
- EDR telemetry detecting Responder or ntlmrelayx execution
- PowerShell logs if relay orchestration scripts used
- MFT artifacts showing deployment of relay tools
- DNS logs showing suspicious name resolution patterns
MITRE ATT&CK References
- T1557 Adversary-in-the-Middle
- T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay
- T1110 Brute Force
- T1078 Valid Accounts
Decision Tree
- Is the suspicious event present?
- Identify NTLM authentication events (4776) from unusual hosts.
- What host generated the event?
- Determine if authentication originated from relay server rather than legitimate client.
- Is the account expected to perform this action?
- Investigate whether the user normally authenticates to the target system.
- Pivot:
- Source host → inspect processes for Responder or ntlmrelayx.
- Account → verify privileges and group membership.
- Network → inspect authentication coercion events.
- Confirm exploitation
- Determine whether attacker performed privileged actions after relay.
Example Detection Templates
KQL
SecurityEvent
| where EventID == 4776
| summarize count() by Workstation, TargetUserName, bin(TimeGenerated, 5m)
| order by count_ desc
SecurityEvent
| where EventID == 4624
| where AuthenticationPackageName == "NTLM"
| project TimeGenerated, TargetUserName, IpAddress, WorkstationName
EQL
any where event.code == "4776"
Sigma
title: Suspicious NTLM Authentication
id: ntlm-relay-detection
status: experimental
description: Detects NTLM authentication activity that may indicate relay attacks
logsource:
product: windows
service: security
detection:
selection:
EventID: 4776
condition: selection
fields:
- Workstation
- TargetUserName
falsepositives:
- Legacy systems using NTLM authentication
level: medium
tags:
- attack.credential_access
- attack.t1557
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Disable NTLM | Disable NTLM authentication where possible | Critical | Eliminates relay attack vector. |
| SMB signing | Require SMB signing on servers and domain controllers | High | Prevents SMB relay attacks. |
| LDAP signing | Enable LDAP signing and channel binding | High | Blocks LDAP relay attacks. |
| Network monitoring | Detect unusual NTLM authentication patterns | Medium | Provides early detection of relay attempts. |
| Credential protection | Use Kerberos authentication where possible | High | Reduces reliance on NTLM. |