Home
%3CLINGO-SUB%20id%3D%22lingo-sub-334511%22%20slang%3D%22en-US%22%3EHow%20to%20win%20the%20latest%20security%20race%20over%20NTLM%20relay%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-334511%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EDetecting%20ExchangePriv%20vulnerability%20with%20Azure%20ATP%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENTLM%20relay%20vulnerability%20is%20not%20a%20new%20phenomenon.%20With%20the%20added%20security%20mechanisms%20implemented%20in%20signed%20NTLMv2%20making%20successful%20attacks%20seem%20more%20and%20more%20unlikely%2C%20it%20would%20appear%20there%20would%20be%20very%20little%20to%20talk%20about%20here.%20Right%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWrong!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20fact%2C%20there%20are%20attack%20vectors%20that%20remain%20where%20NTLMv1%20or%20unsigned%20NTLMv2%20is%20relayed%20by%20attackers%20in%20the%20domain%20environment.%20In%20addition%2C%20although%20NTLMv1%20and%20unsigned%20NTLMv2%20should%20no%20longer%20be%20in%20use%2C%20our%20most%20recent%20research%20found%20that%20NTLMv1%20is%20still%20commonly%20used%20in%20about%2030-40%25%20of%20the%20environments.%20These%20legacy%20protocols%20are%20used%2C%20by%20default%2C%20on%20servers%20running%20old%20versions%20of%20Windows%20(Windows%20Vista%20or%20Windows%20Server%202008%20and%20earlier%20versions)%20but%20can%20also%20be%20seen%20in%20new%20versions%20which%20support%20backward%20compatibility%2C%20or%20processes%20that%20implement%20the%20authentication%20mechanism%20themselves%20(such%20as%20Python%20modules%20like%20%E2%80%9C%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FSecureAuthCorp%2Fimpacket%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EImpacket%3C%2FA%3E%E2%80%9D).%20Furthermore%2C%20newly%20discovered%20vulnerabilities%20can%20lead%20to%20easy%20exploitation%20of%20domain%20controllers%2C%20even%20faster%20than%20previously%20thought%20possible.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESigned%20NTLMv2%20has%20a%20signing%20and%20sealing%20mechanism%20that%20prevents%20tampering%20and%20relay%20impersonation.%20The%20version%20of%20NTLM%2C%20however%2C%20used%20in%20each%20domain%20depends%20on%20the%20source%20computer%20that%20initiates%20authentication.%20The%20source%20computer%20in%20different%20domains%20can%20be%20configured%20differently%20based%20on%20operating%20system%20version%2C%20LMCompatibilityLevel%20registry%20override%20or%20Group%20Policy%20Object%20(GPO)%20configuration.%20In%20other%20words%2C%20even%20if%20you%20are%20running%20newer%20versions%20of%20Windows%20and%20Active%20Directory%20servers%2C%20you%20may%20be%20running%20client%20services%20that%20still%20use%20NTLMv1%20without%20realizing%20it%2C%20leaving%20your%20organization%20equally%20exposed.%20%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhile%20new%20vulnerabilities%20in%20NTLM%20relay%20have%20occasionally%20been%20revealed%2C%20the%20most%20recent%20discovery%20from%20a%20few%20weeks%20ago%2C%20of%20remote%20NTLM%20triggering%20on-premises%20Exchange%20Servers%20against%20the%20original%20configuration%20is%20unique%20and%20especially%20concerning%20to%20organizations%20that%20still%20have%20NTLMv1%20in%20use.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERed-teamer%2C%20%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdirkjanm.io%2Fabusing-exchange-one-api-call-away-from-domain-admin%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EDirk-jan%3C%2FA%3E%3C%2FSPAN%3E%20found%20that%20three%20vulnerabilities%2C%20when%20combined%2C%20can%20potentially%20be%20a%20new%20NTLM%20relay%20attack.%20%3CSPAN%3EDirk-jan%E2%80%99s%3C%2FSPAN%3E%20proposed%20triangle%2C%20is%20based%20on%20historical%20vulnerabilities%20of%20the%20NTLM%20challenge-response%20authentication%20method%2C%20and%20is%20especially%20relevant%20when%20NTLMv1%20is%20in%20use%2C%20or%20less%20commonly%20deployed%2C%20but%20equally%20vulnerable%2C%20unsigned%20or%20unsealed%20NTLMv2.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20the%20proposed%20attack%2C%20Exchange%20Server%20can%20be%20configured%2C%20remotely%20by%20a%20user%20with%20an%20inbox%20on%20the%20Exchange%20Server%2C%20to%20trigger%20NTLM%20authentication%20with%20the%20Exchange%20Server%20account%20credentials%20to%20a%20malicious%20remote%20http%20server.%20The%20remote%20http%20server%20waits%20for%20the%20sensitive%20Exchange%20Server%20account%20to%20relay%20its%20authentication%20to%20any%20other%20server.%20Once%20Exchange%20Server%20account%20impersonation%20is%20targeted%20to%20an%20Active%20Directory%20Domain%20Controller%2C%20the%20sensitive%20permission%20of%20the%20Exchange%20Server%20account%20can%20be%20used%20to%20push%20changes%20in%20the%20directory%20over%20different%20protocols%20such%20as%20LDAP%20or%20LDAPS.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20the%20attacker%20succeeds%20in%20impersonating%20the%20Exchange%20Server%20account%2C%20they%20can%20even%20grab%20extended%20permissions%20to%20perform%20domain%20replication%20(%E2%80%9CDcSync%E2%80%9D)%20and%20also%20acquire%20credentials%20of%20all%20accounts%20in%20the%20domain.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20this%20new%20attack%20scenario%20was%20raised%2C%20Microsoft%E2%80%99s%20Azure%20Advanced%20Threat%20Protection%E2%80%99s%20(Azure%20ATP)%20security%20research%20team%20immediately%20started%20investigating%20this%20and%20realized%20the%20vulnerability%20was%20a%20real%20threat%20and%20created%20a%20new%20Azure%20ATP%20detection%20to%20alert%20SecOps%20teams%20if%20an%20attacker%20is%20leveraging%20this%20exploit.%20The%20new%20Azure%20ATP%20NTLM%20relay%20alert%20identifies%20use%20of%20Exchange%20Server%20account%20credentials%20from%20a%20suspicious%20source%2C%20alerts%20on%20the%20suspicious%20behavior%2C%20provides%20evidence%20and%20related%20entity%20information%2C%20and%20helps%20to%20swiftly%20remediate.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EScreenshots%20from%20the%20Azure%20ATP%20portal%20of%20how%20the%20new%20alert%20looks%20when%20relaying%20from%20Linux%20or%20Windows%20machines%20are%20shown%20below.%20The%20first%20alert%20shows%20a%20detected%20relay%20that%20used%20NTLMv1%20or%20unsigned%20(and%20not%20sealed)%20NTLMv2%20protocol%2C%20and%20the%20second%20alert%20shows%20a%20detected%20relay%20that%20used%20secured%20NTLMv2%20protocol%2C%20with%20suspicious%20IP%20address%20behavior.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20791px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F72678i0468C334C2230073%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22SuspectedNTLM.png%22%20title%3D%22SuspectedNTLM.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EFigure%201%20%E2%80%93%20Medium%20severity%20Azure%20ATP%20alert%20detecting%20suspicious%20use%20of%20NTLMv1%20or%20unsigned%20NTLMv2%20protocol%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20886px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F72679iF351A018B6B7C847%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22NTLM2.png%22%20title%3D%22NTLM2.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EFigure%202%20-%20Low%20severity%20Azure%20ATP%20alert%20detecting%20suspicious%20use%20of%20signed%20or%20sealed%20NTLMv2%20against%20non-Exchange%20servers%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20strongly%20recommend%20forcing%20the%20use%20of%20NTLMv2%20in%20a%20domain.%20Force%20use%20via%20the%20%3CSTRONG%3ENetwork%20security%3A%20LAN%20Manager%20authentication%20level%2C%3C%2FSTRONG%3E%20%3CSTRONG%3Egroup%20policy%3C%2FSTRONG%3E.%20To%20learn%20more%20about%20force%20use%20of%20NTLMv2%20see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fsecurity-policy-settings%2Fnetwork-security-lan-manager-authentication-level%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehow%3C%2FA%3E%20to%20set%20the%20group%20policy%20on%20Domain%20Controllers%20or%20on%20Windows%20clients.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20learn%20more%20about%20LDAP%20best%20practices%20for%20client%20signing%20requirements%20%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fsecurity-policy-settings%2Fdomain-controller-ldap-server-signing-requirements%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E%3C%2FSPAN%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMake%20your%20organization%20more%20secure%20with%20Azure%20ATP%20by%20leveraging%20the%20scale%20and%20intelligence%20of%20the%20Microsoft%20Intelligent%20Security%20Graph%20as%20part%20of%20Microsoft%20365%E2%80%99s%20E5%20Suite.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EGet%20Started%20Today%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ERead%20about%20customers%20using%20Azure%20ATP%20today%3A%20%3CSPAN%3E%3CA%20href%3D%22http%3A%2F%2Faka.ms%2Faatpstories%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3ECustomer%20Stories%3C%2FA%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3ELearn%20more%20about%20Azure%20ATP%20here%3A%26nbsp%3B%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3ETechnical%20Documentation%3C%2FA%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3EStart%20a%20trial%20from%20our%26nbsp%3B%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Ffeatures%2Fazure-advanced-threat-protection%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Advanced%20Threat%20Protection%20Product%20Page%3C%2FA%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3EJoin%20the%20Azure%20ATP%20community%3A%26nbsp%3B%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Advanced-Threat-Protection%2Fbd-p%2FAzureAdvancedThreatProtection%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3ETechnical%20Community%3C%2FA%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-334511%22%20slang%3D%22en-US%22%3E%3CP%3ENTLM%20relay%20vulnerability%20is%20not%20a%20new%20phenomenon.%20With%20the%20added%20security%20mechanisms%20implemented%20in%20signed%20NTLMv2%20making%20successful%20attacks%20seem%20more%20and%20more%20unlikely%2C%20it%20would%20appear%20there%20would%20be%20very%20little%20to%20talk%20about%20here.%20Right%3F%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-334511%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Advanced%20Threat%20Protection%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-355897%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20win%20the%20latest%20security%20race%20over%20NTLM%20relay%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-355897%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F177828%22%20target%3D%22_blank%22%3E%40Lawrence%20D'souza%3C%2FA%3E%26nbsp%3B%20As%20long%20as%20the%20service%20that%20gets%20the%20relayed%20session%20validates%20that%20the%20packets%20are%20signed%20the%20relay%20will%20fail.%20For%20example%2C%20in%20the%20case%20of%20Ldap%20relay%2C%20the%20Ntlm%20authentication%20will%20still%20happen%20but%20the%20rest%20of%20the%20packets%20after%20the%20authentication%20will%20be%20dropped.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-339098%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20win%20the%20latest%20security%20race%20over%20NTLM%20relay%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-339098%22%20slang%3D%22en-US%22%3EWhat%20happens%2C%20in%20scenario%202%20above%20(figure%202)%20-%20does%20that%20relay%20attack%20fail%20for%20the%20attacker%20%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-338367%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20win%20the%20latest%20security%20race%20over%20NTLM%20relay%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-338367%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20work!%20Now%20see%20if%20you%20can%20have%20a%20word%20with%20the%20Exchange%20Server%20team%20about%20re-enabling%20the%20loopback%20check%20as%20well!%20%3A)%3C%2Fimg%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

Detecting ExchangePriv vulnerability with Azure ATP

 

NTLM relay vulnerability is not a new phenomenon. With the added security mechanisms implemented in signed NTLMv2 making successful attacks seem more and more unlikely, it would appear there would be very little to talk about here. Right?

 

Wrong!

 

In fact, there are attack vectors that remain where NTLMv1 or unsigned NTLMv2 is relayed by attackers in the domain environment. In addition, although NTLMv1 and unsigned NTLMv2 should no longer be in use, our most recent research found that NTLMv1 is still commonly used in about 30-40% of the environments. These legacy protocols are used, by default, on servers running old versions of Windows (Windows Vista or Windows Server 2008 and earlier versions) but can also be seen in new versions which support backward compatibility, or processes that implement the authentication mechanism themselves (such as Python modules like “Impacket”). Furthermore, newly discovered vulnerabilities can lead to easy exploitation of domain controllers, even faster than previously thought possible.

 

Signed NTLMv2 has a signing and sealing mechanism that prevents tampering and relay impersonation. The version of NTLM, however, used in each domain depends on the source computer that initiates authentication. The source computer in different domains can be configured differently based on operating system version, LMCompatibilityLevel registry override or Group Policy Object (GPO) configuration. In other words, even if you are running newer versions of Windows and Active Directory servers, you may be running client services that still use NTLMv1 without realizing it, leaving your organization equally exposed.  

 

While new vulnerabilities in NTLM relay have occasionally been revealed, the most recent discovery from a few weeks ago, of remote NTLM triggering on-premises Exchange Servers against the original configuration is unique and especially concerning to organizations that still have NTLMv1 in use.

 

Red-teamer, Dirk-jan found that three vulnerabilities, when combined, can potentially be a new NTLM relay attack. Dirk-jan’s proposed triangle, is based on historical vulnerabilities of the NTLM challenge-response authentication method, and is especially relevant when NTLMv1 is in use, or less commonly deployed, but equally vulnerable, unsigned or unsealed NTLMv2.

 

In the proposed attack, Exchange Server can be configured, remotely by a user with an inbox on the Exchange Server, to trigger NTLM authentication with the Exchange Server account credentials to a malicious remote http server. The remote http server waits for the sensitive Exchange Server account to relay its authentication to any other server. Once Exchange Server account impersonation is targeted to an Active Directory Domain Controller, the sensitive permission of the Exchange Server account can be used to push changes in the directory over different protocols such as LDAP or LDAPS.

 

If the attacker succeeds in impersonating the Exchange Server account, they can even grab extended permissions to perform domain replication (“DcSync”) and also acquire credentials of all accounts in the domain.

 

When this new attack scenario was raised, Microsoft’s Azure Advanced Threat Protection’s (Azure ATP) security research team immediately started investigating this and realized the vulnerability was a real threat and created a new Azure ATP detection to alert SecOps teams if an attacker is leveraging this exploit. The new Azure ATP NTLM relay alert identifies use of Exchange Server account credentials from a suspicious source, alerts on the suspicious behavior, provides evidence and related entity information, and helps to swiftly remediate.

 

Screenshots from the Azure ATP portal of how the new alert looks when relaying from Linux or Windows machines are shown below. The first alert shows a detected relay that used NTLMv1 or unsigned (and not sealed) NTLMv2 protocol, and the second alert shows a detected relay that used secured NTLMv2 protocol, with suspicious IP address behavior.

 

SuspectedNTLM.pngFigure 1 – Medium severity Azure ATP alert detecting suspicious use of NTLMv1 or unsigned NTLMv2 protocol

NTLM2.pngFigure 2 - Low severity Azure ATP alert detecting suspicious use of signed or sealed NTLMv2 against non-Exchange servers

 

We strongly recommend forcing the use of NTLMv2 in a domain. Force use via the Network security: LAN Manager authentication level, group policy. To learn more about force use of NTLMv2 see how to set the group policy on Domain Controllers or on Windows clients.

 

You can learn more about LDAP best practices for client signing requirements here.

 

Make your organization more secure with Azure ATP by leveraging the scale and intelligence of the Microsoft Intelligent Security Graph as part of Microsoft 365’s E5 Suite.

 

Get Started Today

3 Comments
Occasional Contributor

Great work! Now see if you can have a word with the Exchange Server team about re-enabling the loopback check as well! :) 

Occasional Visitor
What happens, in scenario 2 above (figure 2) - does that relay attack fail for the attacker ?
Microsoft

@Lawrence D'souza  As long as the service that gets the relayed session validates that the packets are signed the relay will fail. For example, in the case of Ldap relay, the Ntlm authentication will still happen but the rest of the packets after the authentication will be dropped.