Skill

hunting-for-ntlm-relay-attacks

From asi

Detects NTLM relay attacks by analyzing Windows Event 4624 logs for logon type 3 NTLMSSP auth, IP-hostname mismatches, Responder signatures, SMB signing, and suspicious domain patterns. For threat hunting.

Python

security

npx claudepluginhub plurigrid/asi --plugin asi

Tool Access

This skill uses the workspace's default tool permissions.

Preview

NTLM relay attacks intercept and forward NTLM authentication messages to gain unauthorized access to network resources. Attackers use tools like Responder for LLMNR/NBT-NS poisoning and ntlmrelayx for credential relay. This skill detects relay activity by querying Windows Security Event 4624 (successful logon) for type 3 network logons with NTLMSSP authentication, identifying mismatches between...

SKILL.md

Similar Skills

hunting-for-ntlm-relay-attacks

5.9k

Detects NTLM relay attacks by analyzing Windows Event 4624 logon type 3 with NTLMSSP, IP-hostname mismatches, Responder signatures, SMB signing, and suspicious patterns across domains.

3 files

cybersecurity-skills

hunting-for-ntlm-relay-attacks

Detects NTLM relay attacks by analyzing Windows event 4624 for NTLMSSP auth, IP-hostname mismatches, Responder traffic signatures, SMB signing status, and cross-domain suspicious patterns. Useful for threat hunting in AD environments.

3 files

cybersecurity-skills-zh

detecting-ntlm-relay-with-event-correlation

Detects NTLM relay attacks via Windows Security Event 4624 LogonType 3 correlation, IP-to-hostname mismatches, Responder/LLMNR poisoning, SMB/LDAP signing audits, and NTLMv2-to-v1 downgrades in Active Directory.

asi

Stats

Parent Repo Stars16

Parent Repo Forks5

Last CommitApr 4, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Hunting for NTLM Relay Attacks

Overview

When to Use

When investigating security incidents that require hunting for ntlm relay attacks

When building detection rules or threat hunting queries for this domain

When SOC analysts need structured procedures for this analysis type

When validating security monitoring coverage for related attack techniques

Prerequisites

Python 3.9+ with Windows Event Log access or exported logs

Windows Security audit logging enabled (Event ID 4624, 4625, 5145)

Network access for SMB signing status checks

Key Detection Areas

IP-hostname mismatch — WorkstationName in Event 4624 does not resolve to the source IpAddress

NTLMSSP authentication — logon events using NTLM instead of Kerberos from domain-joined hosts

Machine account relay — computer accounts (ending in $) authenticating from unexpected IPs

Rapid authentication — single account authenticating to multiple hosts within seconds

Named pipe access — Event 5145 showing access to Spoolss, lsarpc, netlogon, samr pipes

SMB signing disabled — hosts not enforcing SMB signing, enabling relay attacks

Output

JSON report with suspected relay events, IP-hostname correlation anomalies, SMB signing audit results, and MITRE ATT&CK mapping to T1557.001.