Tag

Ntlm-Relay

3 briefs RSS

Detecting Potential PowerShell Pass-the-Hash/Relay Scripts

This rule detects PowerShell scripts associated with NTLM relay or pass-the-hash tooling and SMB/NTLM negotiation artifacts, indicating potential credential access and lateral movement attempts by attackers.

Windows credential-access pass-the-hash ntlm-relay powershell

2r 2t Jul 3, 2024

high advisory

Potential Local NTLM Relay via HTTP

2 rules 1 TTP

Adversaries may coerce local NTLM authentication over HTTP via WebDAV named-pipe paths (Print Spooler, SRVSVC), then relay credentials to elevate privileges.

Microsoft Defender XDR +1 ntlm-relay credential-access windows webdav

2r 1t Jan 9, 2024

high advisory

Potential NTLM Relay Attack against a Computer Account

2 rules

This rule detects potential NTLM relay attacks against computer accounts by identifying coercion attempts followed by authentication events originating from a different host, indicating that an attacker has captured and relayed the server's computer account hash to execute code on behalf of the compromised system.

Windows Security Event Logs credential-access ntlm-relay windows

2r Jan 3, 2024