Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
An NTLM relay attack is a sophisticated technique in which the attacker has already gained access to the network and manipulated network devices to hijack legitimate communication. NTLM relays are often paired with other attacks to enable lateral movement with stolen credentials across the network. This activity should be examined before it enables critical and costly attacks.
Kill Chain
Risk Score
84
Through a variety of techniques (such as Exchange server PushSubscription or DNS, LLMNR, or NBT-NS poisoning), an attacker can manipulate victims into sending authentication requests to the attacker. During an NTLM relay attack, the attacker acts as a machine-in-the-middle (MITM), receiving and then forwarding the NTLM messages [1]. The attacker then creates an authenticated session with the server [2]. With this technique, the attacker only needs the NTLM hash to move laterally across the network or access sensitive information stored on servers.
Disable NTLM and authenticate with Kerberos unless NTLM is required
Require SMB session signing or configure LDAP signing settings, in which the origin of an incoming packet is verified
Implement the principle of least privilege to minimize the damage caused by a compromised device
