Potential Computer Account NTLM Relay Activity

This detection rule identifies potential NTLM relay attacks targeting Windows computer accounts. The rule focuses on authentication events where a computer account (identified by a name ending in ‘$’) is used for network logon from an IP address that does not match the IP address of the host owning the account. Such activity can indicate that an attacker has captured the computer account’s NTLM hash through forced authentication techniques and is relaying it from a different machine to gain unauthorized access to resources. The rule is designed to detect activity within the last 9 months and relies on Windows Security Event Logs for analysis.

Attack Chain

1. Attacker gains initial access to the network through various means (e.g., phishing, exploiting a vulnerability).
2. The attacker initiates a forced authentication attack (T1187) to coerce a target machine to authenticate to a system under the attacker’s control.
3. The attacker captures the NTLM hash of a computer account, which is automatically generated for every machine joined to the domain.
4. The attacker uses the captured NTLM hash to relay authentication requests to other systems on the network. This leverages the “Adversary-in-the-Middle” technique (T1557), specifically “LLMNR/NBT-NS Poisoning and SMB Relay” (T1557.001).
5. The relay attack manifests as a network logon event (event code 4624 or 4625) where the source IP address does not match the IP address of the host that owns the computer account. The AuthenticationPackageName is NTLM.
6. The attacker gains unauthorized access to resources or performs actions on behalf of the compromised computer account.
7. The attacker may then attempt lateral movement, privilege escalation, or data exfiltration depending on the targeted resource.

Impact

Successful NTLM relay attacks against computer accounts can grant attackers unauthorized access to critical systems and data within the Windows domain. This could lead to privilege escalation, lateral movement, and ultimately, compromise of the entire domain. While the exact number of affected organizations is unknown, any organization relying on NTLM authentication and Active Directory is potentially vulnerable. The impact includes data breaches, system compromise, and significant disruption to business operations.

Recommendation

• Enable Audit Logon in Windows to generate the necessary security events for this rule to function, as described in the provided setup instructions.
• Deploy the Sigma rule below to your SIEM to detect potential computer account relay activity and tune for your environment.
• Investigate any alerts generated by the Sigma rule by comparing the source.ip to the target server host.ip addresses to confirm it’s indeed a remote use of the machine account.
• Strengthen network segmentation to limit the attack surface for credential relay attacks, as recommended in the remediation steps.
• Monitor for anomalous authentication patterns and NTLM-related activity to identify and respond to potential relay attacks.