Hunting for NTLM Relay Attacks
Overview
NTLM relay attacks intercept and forward NTLM authentication messages to gain unauthorized access to network resources. Attackers use tools like Responder for LLMNR/NBT-NS poisoning and ntlmrelayx for credential relay. This skill detects relay activity by querying Windows Security Event 4624 (successful logon) for type 3 network logons with NTLMSSP authentication, identifying mismatches between WorkstationName and source IpAddress, detecting rapid multi-host authentication from single accounts, and auditing SMB signing configuration across domain hosts.
When to Use
- When investigating security incidents that require hunting for ntlm relay attacks
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
Prerequisites
- Python 3.9+ with Windows Event Log access or exported logs
- Windows Security audit logging enabled (Event ID 4624, 4625, 5145)
- Network access for SMB signing status checks
Key Detection Areas
- IP-hostname mismatch — WorkstationName in Event 4624 does not resolve to the source IpAddress
- NTLMSSP authentication — logon events using NTLM instead of Kerberos from domain-joined hosts
- Machine account relay — computer accounts (ending in $) authenticating from unexpected IPs
- Rapid authentication — single account authenticating to multiple hosts within seconds
- Named pipe access — Event 5145 showing access to Spoolss, lsarpc, netlogon, samr pipes
- SMB signing disabled — hosts not enforcing SMB signing, enabling relay attacks
Output
JSON report with suspected relay events, IP-hostname correlation anomalies, SMB signing audit results, and MITRE ATT&CK mapping to T1557.001.