SAINTCON 2023 - Mike Venturelli - The (NTLM)Relay Race Against Threat Actors

Security

Mike Venturelli's SAINTCON 2023 talk covers NTLM relay attacks, a significant threat still present today. Learn strategies to prevent compromise, prioritize patching, and migrate to more secure protocols.

Key takeaways

NTLM relay attacks are still a threat and can be used to compromise systems and data.
Microsoft has attempted to patch some vulnerabilities, but threats are still present.
Password reuse and password assessment are crucial for security.
SOC teams should prioritize monitoring logs and enabling auditing for event IDs related to NTLM protocols.
It’s essential to disable NTLM and transition to more secure authentication protocols like Kerberos.
Domain controllers must be properly configured to ensure security.
Old systems and applications may still use NTLM and should be upgraded or replaced.
Knowledge of hashes, such as LM and NTLM, is crucial for identifying potential vulnerabilities.
NTLM is not as secure as other authentication protocols and should be phased out.
Migrating to Kerberos and AES encryption is a recommended mitigation strategy.
Implementing a runspace is a key step in protecting against relay attacks.
It’s important to prioritize patching and keep Windows up-to-date.
NTLM relay attacks can be used to access other protocols like SMB and HTTP.
Identifying relatable hosts and monitoring logs is crucial for detecting and responding to threats.
The “mark of the web” concept is an essential consideration for security.
Utilizing a SIM for log collection and rolling up logs can help streamline the threat hunting process.
Stagger the rollout of mitigations to minimize impact on the production environment.
Enable auditing for event IDs related to NTLM protocols.
Implement migration to AES encryption.
Prioritize patching and keep Windows up-to-date.
Disable NTLM and transition to more secure authentication protocols.

SAINTCON 2023 - Mike Venturelli - The (NTLM)Relay Race Against Threat Actors

More talks