Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / Relay Attacks

Response

Relay response focuses on removing relayable authentication paths, reducing forced-authentication sources, and detecting directory changes caused by relayed sessions.

Disable poisoning paths

Disable LLMNR.
Disable NetBIOS over TCP/IP.
Disable mDNS where not required.
Disable WPAD or configure it explicitly.
Block outbound SMB from workstations to untrusted networks.

Require SMB signing

Set-SmbServerConfiguration -RequireSecuritySignature $true -Force
Set-SmbClientConfiguration -RequireSecuritySignature $true -Force

Require LDAP signing

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" -Name "LDAPServerIntegrity" -Value 2

Require LDAP channel binding

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" -Name "LdapEnforceChannelBinding" -Value 2

ADCS web enrollment hardening

Disable web enrollment if not required.
Require HTTPS.
Enable Extended Protection for Authentication.
Disable NTLM on ADCS web endpoints where possible.
Restrict certificate templates usable by machine accounts.

Reduce coercion exposure

Stop-Service Spooler
Set-Service Spooler -StartupType Disabled

Reduce RBCD relay impact

Set-ADDomain -Identity ootw.local -Replace @{'ms-DS-MachineAccountQuota'=0}
Get-ADObject -LDAPFilter '(msDS-AllowedToActOnBehalfOfOtherIdentity=*)' -Properties msDS-AllowedToActOnBehalfOfOtherIdentity

Hunt for relay outcomes

Get-ADObject -LDAPFilter '(msDS-AllowedToActOnBehalfOfOtherIdentity=*)' -Properties msDS-AllowedToActOnBehalfOfOtherIdentity,whenChanged
Get-ADObject -LDAPFilter '(msDS-KeyCredentialLink=*)' -Properties msDS-KeyCredentialLink,whenChanged
Get-ADComputer -Filter * -Properties whenCreated | Sort-Object whenCreated -Descending | Select-Object -First 20 Name,whenCreated

Useful event IDs

4624  Network logon, watch NTLM logons from unusual sources
4627  Group membership information during logon
4776  NTLM authentication validation
4648  Explicit credential use
4741  Computer account created
4742  Computer account changed
5136  Directory object modified
4662  Directory object operation
4886  Certificate request received
4887  Certificate issued
4768  TGT requested after certificate authentication
4769  Service ticket requested

Cleanup after lab

Remove attacker-created computer accounts.
Clear malicious RBCD attributes.
Remove shadow credentials from msDS-KeyCredentialLink.
Revoke certificates issued through ADCS relay.
Stop relay listeners.
Remove temporary firewall or port-forwarding changes.
Rotate secrets for accounts that were relayed into durable access.