Detecting NTLM Relay Attacks
How to detect and defend against NTLM relay — coercion primitives, the CVE-2025-24054 case, ADCS ESC8 audit events, and the SMB/LDAP signing plus EPA that stop it.
NTLM relay remains the most reliable path from a foothold to Domain Admin, and 2025 proved it: CVE-2025-24054, an NTLM hash-disclosure flaw, was exploited in the wild within eight days of its March 2025 patch and added to CISA’s KEV catalog. Detecting it means watching two things: the coercion that forces a machine to authenticate, and the relay landing at a domain controller or AD CS. This guide ships the detection and the layered signing controls that actually close the relay surface.
NTLM relay maps to MITRE ATT&CK T1557.001 — Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, usually reached via T1187 — Forced Authentication. It builds on the credential-harvesting theme of LSASS dumping and the AD focus of Kerberoasting.
What is an NTLM relay attack?
In an NTLM relay, the attacker does not crack a password — they pass the authentication along. They coerce a victim machine into authenticating to a host they control, then relay that authentication to a different service (LDAP on a domain controller, HTTP on AD CS web enrollment) to act as the victim. Because NTLM lacks the channel binding that would tie the auth to its destination, the relayed handshake is accepted.
The relay is only as good as the coercion that feeds it. Primitives like PetitPotam (MS-EFSRPC), PrinterBug (Print Spooler), DFSCoerce, and ShadowCoerce force a machine — often a domain controller — to authenticate on demand, most needing no authentication on default server configs. That combination is why relay is a top red-team path year after year.
What does the NTLM relay kill chain look like?
| Stage | What happens | Detection opportunity |
|---|---|---|
| Coercion | PetitPotam/PrinterBug/DFSCoerce forces auth | Anomalous RPC (MS-EFSRPC, MS-RPRN) to a non-DC host |
| Relay | Captured NTLM relayed to LDAP/AD CS | NTLM network logon (4624 type 3) to DC/AD CS from odd source |
| AD CS ESC8 | Relayed identity requests a cert | AD CS audit Events 4886 / 4887 |
| Escalation | Cert used to authenticate as DA | TGT requests from a freshly issued certificate |
The throughline: relay is noisy if you collect the right events, and invisible if you don’t — most SOCs simply aren’t logging AD CS certificate requests.
How to detect NTLM relay attacks
The relay lands as an NTLM network logon to a domain controller or AD CS from a source that should not be initiating it. Collect the AD CS audit events and DC logons, then alert on the anomaly.
title: NTLM Network Logon to AD CS or Domain Controller
id: 7c3e9a14-darkpwn-illustrative
status: experimental
logsource:
product: windows
service: security
detection:
selection:
EventID: 4624
LogonType: 3
AuthenticationPackageName: 'NTLM'
scope:
TargetServerName|contains: ['CERTSRV','LDAP','ADCS']
filter_machine_self:
SubjectUserName|endswith: '$'
condition: selection and scope and filter_machine_self
falsepositives:
- Legacy apps using NTLM to these services (inventory and allowlist them)
level: high How to test your NTLM relay detection
In an isolated AD lab you own:
- Trigger a coercion primitive (e.g. a lab PetitPotam) against a test host and confirm the RPC/coercion signal appears.
- Relay to a test AD CS and confirm Events 4886/4887 fire and your rule correlates.
- Confirm SMB signing on the target blocks the SMB relay path.
- Confirm LDAP signing + channel binding blocks the LDAP relay path.
How to defend against NTLM relay
- Disable LLMNR and NBT-NS to remove passive coercion/poisoning paths.
- Patch NTLM CVEs immediately (CVE-2025-24054, CVE-2025-33073) — KEV-listed and fast to weaponize.
- Move off NTLM toward Kerberos and phishing-resistant auth where applications allow.
Common NTLM relay detection mistakes
- No AD CS audit logging. ESC8 relay is invisible without Events 4886/4887.
- Partial signing. SMB signing alone leaves the LDAP path open.
- Ignoring coercion RPC. The relay starts with a forced authentication.
- Treating NTLM as legacy. NTLMv2 relay works on current default configs.
NTLM relay detection checklist
- Enable AD CS audit Events 4886 and 4887 on every certificate authority.
- Alert on NTLM network logons (4624 type 3) to DCs/AD CS from unexpected sources.
- Alert on coercion RPC (MS-EFSRPC, MS-RPRN) to non-DC hosts.
- Enforce SMB signing on all machines.
- Enforce LDAP signing and LDAP channel binding (EPA) on DCs.
- Enable EPA on AD CS web enrollment.
- Disable LLMNR/NBT-NS; patch NTLM CVEs (CVE-2025-24054, CVE-2025-33073).
- Test coercion, relay, and each signing control in an AD lab.
The takeaway
Detecting NTLM relay means watching the coercion and the relay landing — anomalous NTLM logons and AD CS Events 4886/4887 — while closing the surface with SMB signing, LDAP signing, and EPA together. Patch the NTLM CVEs fast; they weaponize in days. Continue with LSASS credential dumping detection, Kerberoasting and the relay-to-CA chain in detecting AD CS abuse (ESC1–ESC8), or browse the full Detection Engineering pillar.
Training & tools referenced
Disclosure: Some links below are affiliate links. If you buy through them, darkpwn may earn a commission at no extra cost to you. We only recommend training and tools we actually use in our own lab, and affiliate links never influence editorial coverage.
- TryHackMeAuthorized labs to practice Active Directory attack detectionSecurity TrainingStart training
Frequently asked questions
How do you detect an NTLM relay attack?
Watch for the coercion and the relay landing. Alert on anomalous NTLM network logons (Event ID 4624, logon type 3, NTLM package) to domain controllers and AD CS, on machine accounts authenticating where they should not, and enable AD CS audit Event IDs 4886/4887 to see certificate requests from relayed identities. Coercion tools also generate distinctive RPC calls.
What stops NTLM relay attacks?
No single control is enough. You need SMB signing required on all machines, LDAP signing required on domain controllers, and LDAP channel binding (EPA) — plus EPA on AD CS web enrollment. Together they close the SMB and LDAP relay paths; implementing only one leaves the unsigned protocol open.
What is a coercion attack?
Coercion forces a Windows machine to authenticate to an attacker-controlled host using primitives like PetitPotam (MS-EFSRPC), PrinterBug (Print Spooler), DFSCoerce, and ShadowCoerce — most of which need no authentication on default Server 2019/2022. The captured authentication is then relayed onward.
Is NTLM relay still a threat in 2026?
Yes. Despite Microsoft's NTLM deprecation, NTLMv2 remains permitted and default server configurations leave relay protections off. CVE-2025-24054 was exploited in the wild within days of its March 2025 patch, and the coercion to relay to AD CS ESC8 to Domain Admin chain still works against most enterprises.