Potential NTLM Relay Attack against a Computer Account

Author: Elastic
Source: upstream

Detects potential relay attacks by identifying coercion attempts followed by authentication events using a target server's computer account, originating from a different host. This may indicate that an attacker has captured and relayed the server's computer account hash to execute code on behalf of the compromised system.

MITRE ATT&CK coverage

Tactic	Techniques
Credential Access	`T1187` Forced Authentication, `T1557` Adversary-in-the-Middle, `T1557.001` Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
Collection	`T1557` Adversary-in-the-Middle, `T1557.001` Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay

Event coverage

Provider	Event ID	Title
Security-Auditing	4624	An account was successfully logged on.
Security-Auditing	4625	An account failed to log on.
Security-Auditing	5145	A network share object was checked to see whether client can be granted desired access.

Stages and Predicates

Stage 1: `eql:file`

not winlog.computer_name starts_with and file.name:"Spoolss"

Stage 2: `eql:authentication`

not source.ip ends_with and not source.ip:"127.0.0.1" and not source.ip:"::1" and user.name:"*$" and winlog.computer_name starts_with and winlog.event_data.AuthenticationPackageName:"NTLM" and winlog.logon.type:"network"

Exclusions

Top-level NOT(...) conjuncts — predicates this rule actively suppresses.

Stage	Field	Kind	Excluded values
1	`computer_name`	starts_with	(no value — null check)
1	`source.ip`	ends_with	(no value — null check)

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`file.name`	wildcard	`FssagentRpc` corpus 2 (elastic 2) `Spoolss` corpus 2 (elastic 2) `WinsPipe` corpus 2 (elastic 2) `dhcpserver` corpus 2 (elastic 2) `dnsserver` corpus 2 (elastic 2) `efsrpc` corpus 2 (elastic 2) `eventlog` corpus 2 (elastic 2) `lsarpc` corpus 2 (elastic 2) `lsass` corpus 2 (elastic 2) `netdfs` corpus 2 (elastic 2) `netlogon` corpus 2 (elastic 2) `samr` corpus 2 (elastic 2) `srvsvc` corpus 2 (elastic 2) `winreg` corpus 2 (elastic 2)
`source.ip`	ne	`127.0.0.1` corpus 8 (elastic 8) `::1` corpus 7 (elastic 7)
`user.name`	ends_with	`$` corpus 18 (sigma 14, elastic 4)
`winlog.event_data.AuthenticationPackageName`	wildcard	`NTLM`
`winlog.logon.type`	wildcard	`network` corpus 2 (elastic 2)

Neighbors

Often fire together

Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.

Multiple Logon Failure Followed by Logon Success [elastic]
Potential Computer Account NTLM Relay Activity [elastic]
Potential Kerberos Relay Attack against a Computer Account [elastic]
Remote Windows Service Installed [elastic]
Suspicious Service was Installed in the System [elastic]
Service Creation via Local Kerberos Authentication [elastic]
Hacktool Ruler [sigma]
Metasploit SMB Authentication [sigma]

Share event IDs (chain-detection candidates)

Rules that observe the same Windows event-ID pairs as this one. If you're authoring a multi-stage / sequence rule that spans these events, these are the existing detections that already cover one or both endpoints.

Hacktool Ruler [sigma]
Metasploit SMB Authentication [sigma]
Multiple Logon Failure Followed by Logon Success [elastic]
Potential Computer Account NTLM Relay Activity [elastic]
Potential Kerberos Relay Attack against a Computer Account [elastic]
Windows Identify PowerShell Web Access IIS Pool [splunk]
Windows Local Administrator Credential Stuffing [splunk]