Relay response focuses on removing relayable authentication paths, reducing forced-authentication sources, and detecting directory changes caused by relayed sessions.
Disable poisoning paths
Disable LLMNR.
Disable NetBIOS over TCP/IP.
Disable mDNS where not required.
Disable WPAD or configure it explicitly.
Block outbound SMB from workstations to untrusted networks.
Require SMB signing
Set-SmbServerConfiguration -RequireSecuritySignature $true -Force
Set-SmbClientConfiguration -RequireSecuritySignature $true -Force
Require LDAP signing
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" -Name "LDAPServerIntegrity" -Value 2
Require LDAP channel binding
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" -Name "LdapEnforceChannelBinding" -Value 2
ADCS web enrollment hardening
Disable web enrollment if not required.
Require HTTPS.
Enable Extended Protection for Authentication.
Disable NTLM on ADCS web endpoints where possible.
Restrict certificate templates usable by machine accounts.
Reduce coercion exposure
Stop-Service Spooler
Set-Service Spooler -StartupType Disabled
Reduce RBCD relay impact
Set-ADDomain -Identity ootw.local -Replace @{'ms-DS-MachineAccountQuota'=0}
Get-ADObject -LDAPFilter '(msDS-AllowedToActOnBehalfOfOtherIdentity=*)' -Properties msDS-AllowedToActOnBehalfOfOtherIdentity
Hunt for relay outcomes
Get-ADObject -LDAPFilter '(msDS-AllowedToActOnBehalfOfOtherIdentity=*)' -Properties msDS-AllowedToActOnBehalfOfOtherIdentity,whenChanged
Get-ADObject -LDAPFilter '(msDS-KeyCredentialLink=*)' -Properties msDS-KeyCredentialLink,whenChanged
Get-ADComputer -Filter * -Properties whenCreated | Sort-Object whenCreated -Descending | Select-Object -First 20 Name,whenCreated
Useful event IDs
4624 Network logon, watch NTLM logons from unusual sources
4627 Group membership information during logon
4776 NTLM authentication validation
4648 Explicit credential use
4741 Computer account created
4742 Computer account changed
5136 Directory object modified
4662 Directory object operation
4886 Certificate request received
4887 Certificate issued
4768 TGT requested after certificate authentication
4769 Service ticket requested
Cleanup after lab
Remove attacker-created computer accounts.
Clear malicious RBCD attributes.
Remove shadow credentials from msDS-KeyCredentialLink.
Revoke certificates issued through ADCS relay.
Stop relay listeners.
Remove temporary firewall or port-forwarding changes.
Rotate secrets for accounts that were relayed into durable access.