Relaying Unprivileged Users to RCE

Defending against NTLM relaying attacks.

Description

It is well known that NTLM relaying poses a significant threat to Windows environments. Usually, these attacks involve accounts with local admin privileges. But what if there are situations where a regular user is enough to gain remote code execution?

This talk starts with a brief introduction to NTLM and NTLM relaying before diving deep into uncommon NTLM relaying tradecraft.

We explore three practical techniques, break down their individual building blocks, and explain how they can be combined for lateral movement and privilege escalation in an Active Directory environment.

You will learn how relaying NTLM connections from low-privileged users can lead to workstation and server compromise, and how such connections can be coerced from arbitrary users.

Furthermore, we discuss the necessary prerequisites and demonstrate how existing tools can be used to implement these techniques.

We will conclude the talk with recommendations for defending against NTLM relaying attacks.

Why the committee chose this talk

NTLM is the basis of on-premise Microsoft installations and a major security issue.