Potential SMB Relay Attack Tool Execution

About the rule

Rule Type

Standard

Rule Description

Detects different hacktools used for relay attacks on Windows for privilege escalation

Severity

Critical

Rule journey

Attack chain scenario

Initial access → Network scanning → SMB discovery → Relay tool execution → Credential capture → Privilege escalation

Impact

• Privilege escalation
• Credential theft
• Lateral movement
• Unauthorized access

Rule Requirement

Prerequisites

• Using Windows event viewer:

To configure process creation auditing, log in to a domain controller with domain admin credentials and open the Group Policy Management Console (GPMC) by running gpmc.msc. Create a new GPO or edit an existing one linked to the appropriate organizational unit (OU), then navigate to Advanced Audit Policy Configuration under Computer Configuration and enable both Audit Process Creation and Audit Process Termination by selecting Success for each. For deeper visibility, enable the policy to include command line information in process creation events under Administrative Templates > System > Audit Process Creation. Finally, ensure the event log channel is active by creating the registry key "Microsoft-Windows-Security-Auditing/Operational" if it doesn't already exist.

• Using Sysmon:

Download and install Sysmon from Microsoft Sysinternals, then open a Command Prompt with administrator privileges. Use a configuration file that includes process creation monitoring—such as one with a <ProcessCreate> rule—and install Sysmon using sysmon.exe -i [configfile.xml]. To ensure logging is enabled, create the registry key "Microsoft-Windows-Sysmon/Operational" under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\ if it doesn't already exist.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

• Collection: Adversary-in-the-Middle - LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001)
• Credential Access: Adversary-in-the-Middle - LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001)

Security Standards

Enabling this rule will help you meet the security standard's requirements listed below:

• NIST SP 800-53: SI-4 – System Monitoring: Requires continuous monitoring to detect and respond to security threats.
  Triggering this rule helps identify SMB relay tools early, supporting proactive system monitoring.
• NIST SP 800-53: AC-2 – Account Management: Focuses on managing user accounts and controlling access.
  Triggering this rule alerts administrators to potential misuse of accounts via relay-based privilege escalation.
• NIST SP 800-53: AU-6 – Audit Review, Analysis, and Reporting: Mandates regular analysis of audit logs for indicators of compromise.
  Triggering this rule generates critical event data to be reviewed for signs of malicious lateral movement.
• NIST SP 800-61: Computer Security Incident Handling Guide: Outlines processes for detecting, analyzing, and responding to incidents.
  Triggering this rule supports early detection and response to SMB relay activity, aiding incident handling teams.
• NIST SP 800-137: ISCM – Information Security Continuous Monitoring: Promotes ongoing assessment of security controls and risks.
  Triggering this rule strengthens continuous monitoring by detecting known attack tool execution in real time.
• NIST SP 800-171: 3.1.6 – Least Privilege Principle: Limits user access to only what is necessary.
  Triggering this rule helps detect unauthorized attempts to elevate privileges, reinforcing least privilege enforcement.

Author

Florian Roth (Nextron Systems)

Future actions

Known False Positives

This rule will be triggered when red teams or penetration testers execute authorized SMB relay tools during security assessments. It may also fire in lab environments where simulated attacks are used for testing detection capabilities.

Next Steps

When this rule is triggered, the following measures can be implemented:

1. Identification: Identify if the flagged event is a new incident or part of an existing incident.
2. Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using Incident Workbench.
3. Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
4. Containment: Isolate the affected system or network segment to prevent further spread or privilege abuse by the relay tool.
5. Eradication: Remove the identified malicious tool, clean up scheduled tasks or services created by the attacker, and patch any exploited vulnerabilities.

Mitigation