How to Detect NTLM Relay Attacks and Enforce SMB Signing

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
NTLM relay attacks are one of the most impactful lateral movement techniques in Active Directory environments: they require no cracked passwords, work against any server that accepts NTLM, and can directly compromise domain controllers via LDAP relay when LDAP signing is not enforced.
The attack chain: Responder poisons LLMNR/NBNS to capture NTLM authentication challenges from any domain user's workstation, ntlmrelayx relays those challenges to a target server (another workstation, file server, MSSQL, or DC), and the attacker authenticates as the victim. On DCs without LDAP signing enforced, ntlmrelayx can create a new domain admin account in seconds.
How NTLM Relay Works
Attack flow with Responder + ntlmrelayx:
1. Attacker starts ntlmrelayx targeting all domain computers:
ntlmrelayx.py -tf targets.txt -smb2support
(targets.txt = list of all domain IPs from nmap/netdiscover)
2. Attacker starts Responder to capture NTLM challenges:
Responder.py -I eth0 -rdwv
3. Victim's workstation sends NTLM challenge to Responder:
- Victim browses \\fileserver (typo, or LLMNR poisoned)
- Windows sends NTLMv2 challenge to Responder's fake server
- Responder captures the challenge and sends to ntlmrelayx
4. ntlmrelayx relays the challenge to target servers:
- Tries to authenticate to each IP in targets.txt
- On success: drops a shell, dumps SAM, or creates accounts
Terminal output of successful relay:
[*] SMBD-Thread-4: Connection from 10.1.1.50 controlled, attacking target smb://10.1.1.100
[*] Authenticating against smb://10.1.1.100 as CORP\JSMITH SUCCEED
[*] Target is not signing, dumping SAM hashes...
Administrator:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
LDAP relay (domain admin creation):
# If target is a DC and LDAP signing is not enforced:
ntlmrelayx.py -t ldaps://dc01.corp.local --add-computer AttackerPC$
# Or create a user with domain admin rights:
ntlmrelayx.py -t ldap://dc01.corp.local --escalate-user lowpriv_user
Prevention: Enforce SMB Signing via GPO
SMB signing prevents NTLM relay over SMB by requiring each packet to be signed. When signing is required, captured NTLM challenges from one connection cannot be used to authenticate on a different connection.
GPO settings to enforce SMB signing on all domain members:
Computer Configuration > Windows Settings > Security Settings >
Local Policies > Security Options
For SMB server (incoming connections):
"Microsoft network server: Digitally sign communications (always)"
Value: Enabled
For SMB client (outgoing connections):
"Microsoft network client: Digitally sign communications (always)"
Value: Enabled
Registry equivalents (for verification):
HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
RequireSecuritySignature = 1 (server: incoming)
HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters
RequireSecuritySignature = 1 (client: outgoing)
# Verify SMB signing is required on a host:
Get-SmbServerConfiguration | Select-Object RequireSecuritySignature, EnableSecuritySignature
# RequireSecuritySignature : True ← relay impossible (required)
# RequireSecuritySignature : False ← relay possible (optional or disabled)
Get-SmbClientConfiguration | Select-Object RequireSecuritySignature
# Check domain-wide via PowerShell (run from domain-joined machine):
Get-ADComputer -Filter * -Properties OperatingSystem | Where-Object {
$_.OperatingSystem -like '*Windows*'
} | ForEach-Object {
$computer = $_.DNSHostName
try {
$config = Invoke-Command -ComputerName $computer -ScriptBlock {
Get-SmbServerConfiguration | Select-Object RequireSecuritySignature
} -ErrorAction Stop
[PSCustomObject]@{
Computer = $computer
RequireSigning = $config.RequireSecuritySignature
}
} catch {
[PSCustomObject]@{ Computer = $computer; RequireSigning = 'ERROR' }
}
} | Sort-Object RequireSigning
# Identify all machines still showing RequireSigning = False
Also enforce LDAP signing and channel binding (prevents LDAP relay):
Computer Configuration > Windows Settings > Security Settings >
Local Policies > Security Options
"Domain controller: LDAP server signing requirements"
Value: Require signing
"Domain controller: LDAP server channel binding token requirements"
Value: Always (requires Windows Server 2019 + April 2020 or later patches)
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Detection: Windows Event Log Monitoring
Event 4624 Type 3 with NTLM from unexpected sources:
// Detect NTLM logons from machines that should not be authenticating to each other
// Focus: workstation-to-workstation NTLM (not DCs, not servers)
SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4624
| where LogonType == 3 // Network logon
| where AuthenticationPackageName == "NTLM"
// Exclude expected service accounts and machine accounts:
| where TargetUserName !endswith "$" // Exclude machine account logons
| where TargetDomainName != "NT AUTHORITY"
| extend SourceIP = tostring(IpAddress)
| extend TargetComputer = Computer
// Alert when the source IP is a workstation range (not a server or DC):
// Adjust IP ranges to match your environment
| where SourceIP startswith "10.1.1." // Workstation subnet
| where TargetComputer !in ("dc01", "dc02", "fileserver01") // Not to expected servers
| summarize
Count = count(),
TargetAccounts = make_set(TargetUserName),
SourceIPs = make_set(SourceIP)
by TargetComputer, bin(TimeGenerated, 1h)
| where Count > 5 // Multiple NTLM logons = relay tool scanning
Detect ntlmrelayx SAM dump indicator (mass logon attempts):
// ntlmrelayx dumps SAM by authenticating then calling registry service
// Indicator: rapid successful NTLM logons from a single source IP
SecurityEvent
| where TimeGenerated > ago(1h)
| where EventID == 4624 and LogonType == 3
| where AuthenticationPackageName == "NTLM"
| summarize LogonCount = count() by IpAddress, bin(TimeGenerated, 5m)
| where LogonCount > 10 // More than 10 NTLM logons in 5 minutes from one IP
| project TimeGenerated, IpAddress, LogonCount
// High confidence: ntlmrelayx scanning with -tf targets.txt generates rapid logons
Detect Responder via Event 4776 anomalies:
// Event 4776 = NTLM authentication attempt (on DC)
// Responder captures appear as auth attempts TO the DC from rogue machine
SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4776 // Credential validation via NTLM
| where Status != "0x0" // Failed authentications
// Bulk failed NTLM auths from one source = Responder capturing challenges:
| summarize FailureCount = count() by WorkstationName, bin(TimeGenerated, 10m)
| where FailureCount > 20
Additional Mitigations
Disable NTLM entirely for Kerberos-capable services (gold standard):
GPO: Computer Configuration > Windows Settings > Security Settings >
Local Policies > Security Options
"Network security: Restrict NTLM: NTLM authentication in this domain"
Value: Deny all (requires thorough testing: will break legacy apps that require NTLM)
Alternative: Start with Audit mode to identify NTLM users:
"Network security: Restrict NTLM: Audit NTLM authentication in this domain"
Value: Enable all
Then review Event 8004 in the Microsoft-Windows-NTLM/Operational event log
Enable Extended Protection for Authentication (EPA) on IIS:
# EPA prevents NTLM relay to HTTP/HTTPS endpoints
# Requires Windows Server 2019+ and modern clients
Import-Module WebAdministration
Set-WebConfigurationProperty -Filter 'system.webServer/security/authentication/windowsAuthentication' \
-Name 'extendedProtection.tokenChecking' -Value 'Require'
Honey credentials for relay detection:
# Create a honey account with a weak password that triggers alerts on any use:
New-ADUser -Name 'svc-backup01' -SamAccountName 'svc-backup01' \
-AccountPassword (ConvertTo-SecureString 'HoneyPassword123!' -AsPlainText -Force) \
-Enabled $true
# Alert: any successful logon for this account = credential theft or relay
# In Sentinel: alert on SecurityEvent where TargetUserName == 'svc-backup01' and EventID == 4624
The bottom line
NTLM relay attacks are prevented by enforcing SMB signing on all domain members via GPO (Microsoft network server: Digitally sign communications (always) = Enabled + Microsoft network client: Digitally sign communications (always) = Enabled). Also enforce LDAP signing on domain controllers to prevent relay to LDAP. Detection focuses on Event 4624 Type 3 NTLM logons from unexpected source IPs: ntlmrelayx generates rapid NTLM logons from a single IP scanning its target list. Use KQL to alert on more than 10 NTLM network logons from a single source IP within 5 minutes, and on workstation-to-workstation NTLM logons that should not occur in your environment.
Frequently asked questions
How does SMB signing prevent NTLM relay attacks?
SMB signing requires each SMB packet to be cryptographically signed using a key derived from the authenticated session. When SMB signing is required, an attacker who captures an NTLM authentication challenge from one connection cannot relay it to establish a different SMB session: the relay target requires signed packets, and the attacker does not have the session key needed to produce valid signatures. Enable SMB signing via GPO: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Microsoft network server: Digitally sign communications (always) = Enabled.
What Event ID indicates an NTLM relay attack succeeded?
Event ID 4624 with Logon Type 3 (network logon) and Authentication Package = NTLM on the target machine indicates a successful NTLM relay. Alert on bulk Type 3 NTLM logons (more than 10 in 5 minutes) from a single source IP: this is ntlmrelayx scanning its target list. Also monitor Event ID 4776 failures: Responder capturing NTLM challenges generates failed authentication attempts visible on the domain controller.
How does SMB signing prevent NTLM relay attacks?
SMB signing cryptographically signs each SMB packet using the session key established during authentication. When an attacker relays NTLM authentication, they obtain a valid session but do not have the session key — because the session key is derived from the user's password hash that the attacker does not know. Without the session key, the attacker cannot produce valid packet signatures, and the target server rejects the connection. Enforce SMB signing via Group Policy: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Microsoft network server: Digitally sign communications always = Enabled, and Microsoft network client: Digitally sign communications always = Enabled.
How do I enforce SMB signing across all Windows domain systems?
Apply two Group Policy settings: 'Microsoft network server: Digitally sign communications (always)' and 'Microsoft network client: Digitally sign communications (always)' — both must be set to Enabled for complete enforcement. Without the client-side setting, domain members can connect to non-signing servers and create relay opportunities. Additionally, enforce LDAP signing on domain controllers (Domain controller: LDAP server signing requirements = Require signature) to prevent LDAP relay attacks (used in PetitPotam+relay attacks). Before enforcing, audit all non-Windows devices on the network: older NAS devices, printers, and network appliances may not support SMB signing and will fail to authenticate.
What is the difference between NTLM relay, SMB relay, and LDAP relay?
NTLM relay is the general technique of intercepting an NTLM authentication and forwarding it to a different service. SMB relay uses the captured NTLM authentication against SMB services: if SMB signing is not enforced, the attacker gets file system access or remote command execution via SMB. LDAP relay uses the captured NTLM against the domain controller's LDAP service: if LDAP signing and channel binding are not enforced, the attacker can query Active Directory or modify objects (reset passwords, add group members) using the victim's permissions. LDAP relay is particularly dangerous because it can be combined with PetitPotam to coerce domain controllers to authenticate to the attacker, then relay those credentials to LDAP to perform DCSync-equivalent operations.
How do you audit which domain machines still have SMB signing disabled, and what is the fastest remediation path?
Audit SMB signing status with PowerShell using Invoke-Command across domain computers: 'Get-ADComputer -Filter * | ForEach-Object { Invoke-Command -ComputerName $_.Name -ScriptBlock { Get-SmbServerConfiguration | Select RequireSecuritySignature } }'. Alternatively, use the Nmap smb2-security-mode script: 'nmap -p 445 --script smb2-security-mode 10.0.0.0/24' -- hosts reporting 'message signing enabled but not required' are vulnerable to relay. For non-compliant machines, check gpresult /r on sample hosts to confirm the hardening GPO is applying: common failure causes are a competing GPO at a higher OU level setting signing to 'not required,' or the machine being outside the GPO's scope. For rapid remediation without waiting for the 90-minute GP refresh: use PSExec or Ansible to run 'gpupdate /force' on all identified non-compliant machines immediately after pushing the GPO. Always test SMB signing enforcement in a pilot OU first -- some older NAS devices, scanners, and legacy applications do not support SMB signing and will fail to connect after enforcement.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
