ExtraHop Logo
Try ExtraHop
Menu iconX icon
  • Platformchevron right
  • Solutionschevron right
  • Modern NDRchevron right
  • Resourceschevron right
  • Companychevron right
User iconSign In
Contact Us

DETECTION OVERVIEW

Responder NTLM Activity

Risk Factors

An NTLM relay attack is a sophisticated technique in which the attacker has gained access to the network. Responder is a well known attack tool that makes these types of attacks easy to perform. This activity should be examined before it enables critical and costly attacks.

Kill Chain

Exploitation

Risk Score

78

Next in Exploitation: Ripple20 Exploit Attempt - CVE-2020-11901

Attack Background

Responder is an open source attack tool that forces and relays authentication requests. A device running Responder can force NTLM authentication by sending malicious responses to certain protocols such as LLMNR and NetBIOS Name Service. Responder then initiates a machine-in-the-middle (MITM) attack known as an NTLM relay (1). This action allows the attacker to successfully authenticate to another service (2), enabling lateral movement across the network or access to sensitive information stored on servers.

Mitigation Options

Disable NTLM and authenticate with Kerberos unless NTLM is required
Require SMB session signing or configure LDAP signing settings, in which the origin of an incoming packet is verified
Implement the principle of least privilege to minimize the damage caused by a compromised device

MITRE ATT&CK ID

What else can RevealX do for you?

View our Periodic Table of use casesArrow pointing right