Potential Computer Account NTLM Relay Activity

Author: Elastic
Source: upstream

Identifies potential relay activities against a Computer account by identifying authentication events using the computer account coming from from hosts other than the server that owns the account. Attackers may relay the computer account hash after capturing it using forced authentication.

MITRE ATT&CK coverage

Tactic	Techniques
Credential Access	`T1187` Forced Authentication, `T1557` Adversary-in-the-Middle, `T1557.001` Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
Collection	`T1557` Adversary-in-the-Middle, `T1557.001` Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay

Event coverage

Provider	Event ID	Title
Security-Auditing	4624	An account was successfully logged on.
Security-Auditing	4625	An account failed to log on.

Stages and Predicates

Stage 1: `eql:authentication`

not host.ip contains and not source.ip ends_with and host.name starts_with and not source.ip:"127.0.0.1" and not source.ip:"::1" and user.name:"*$" and not user.name:"$" and winlog.event_data.AuthenticationPackageName:"NTLM" and winlog.logon.type:"Network"

Exclusions

Top-level NOT(...) conjuncts — predicates this rule actively suppresses.

Stage	Field	Kind	Excluded values
1	`host.ip`	contains	(no value — null check)
2	`source.ip`	ends_with	(no value — null check)

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`source.ip`	ne	`127.0.0.1` corpus 8 (elastic 8) `::1` corpus 7 (elastic 7)
`user.name`	ends_with	`$` corpus 18 (sigma 14, elastic 4)
`user.name`	ne	`$`
`winlog.event_data.AuthenticationPackageName`	eq	`NTLM` corpus 2 (sigma 1, elastic 1)
`winlog.logon.type`	eq	`Network` corpus 4 (elastic 4)

Neighbors

Often fire together

Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.

Multiple Logon Failure Followed by Logon Success [elastic]
Potential Kerberos Relay Attack against a Computer Account [elastic]
Potential NTLM Relay Attack against a Computer Account [elastic]
Remote Windows Service Installed [elastic]
Suspicious Service was Installed in the System [elastic]
Service Creation via Local Kerberos Authentication [elastic]
Hacktool Ruler [sigma]
Metasploit SMB Authentication [sigma]

Share event IDs (chain-detection candidates)

Rules that observe the same Windows event-ID pairs as this one. If you're authoring a multi-stage / sequence rule that spans these events, these are the existing detections that already cover one or both endpoints.

Hacktool Ruler [sigma]
Metasploit SMB Authentication [sigma]
Multiple Logon Failure Followed by Logon Success [elastic]
Potential Kerberos Relay Attack against a Computer Account [elastic]
Potential NTLM Relay Attack against a Computer Account [elastic]
Windows Identify PowerShell Web Access IIS Pool [splunk]
Windows Local Administrator Credential Stuffing [splunk]