This note documents detection patterns related to SMB Relay within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4624 | Successful logon | High | NTLM authentication relayed to SMB service. |
| Security | 4672 | Special privileges assigned | High | Privileged account authenticated via relay. |
| Security | 5140 | Network share accessed | High | ADMIN$ or C$ shares accessed via relayed authentication. |
| Security | 7045 | Service installed | Critical | Remote service created after successful relay. |
| Sysmon | 3 | Network connection | High | SMB connections between attacker and victim host. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| NTLM authentication spikes | Multiple NTLM logons in short time | High | Relay attempts or coercion. |
| ADMIN$ share access | Remote administrative share usage | High | Common relay exploitation path. |
| Service creation after authentication | Service installed following NTLM login | Critical | Often used to execute payload. |
| Machine account authentication | Computer accounts authenticating unexpectedly | Medium | May indicate coerced relay chain. |
Common Tools
| Tool | Usage |
|---|---|
| Impacket ntlmrelayx | Relays captured NTLM authentication to SMB services. |
| Responder | Captures NTLM authentication via LLMNR/NBT-NS poisoning. |
| CrackMapExec | Automates SMB relay attacks. |
| Metasploit SMB relay modules | Used for lateral movement via relay. |
Relevant Artifacts
- Security logs (4624, 4672, 5140, 7045)
- SMB network traffic
- Sysmon network events
- EDR telemetry
- Service creation artifacts
- Share access logs
MITRE ATT&CK References
- T1557 Adversary-in-the-Middle
- T1557.001 NTLM Relay
- T1021.002 SMB/Windows Admin Shares
Decision Tree
- Detect NTLM authentication to SMB.
- Identify source host initiating relay.
- Inspect accessed shares (ADMIN$, C$).
- Check for service installation or command execution.
- Determine lateral movement or privilege escalation.
Example Detection Templates
KQL
SecurityEvent
| where EventID in (4624,5140,7045)
EQL
network where destination.port == 445
Sigma
title: SMB Relay Activity
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 4624
- 5140
- 7045
condition: selection
level: high
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| SMB signing | Require SMB signing | Critical | Prevents NTLM relay attacks. |
| NTLM restrictions | Disable or restrict NTLM authentication | High | Reduces relay attack surface. |
| Network segmentation | Restrict SMB communication | Medium | Limits lateral movement. |
| Monitoring | Alert on unusual NTLM authentication | High | Detects relay activity. |