- Home
- SIEM use cases
- NTLM Relay and Coercion Attacks
How to detect NTLM relay and coercion attacks
In this page
Threat snapshot
NTLM relay is one of the oldest credential abuse techniques in Active Directory environments, and one of the most persistently effective. Despite being well-documented for over two decades, it remains a reliable path to domain compromise in a significant percentage of enterprise networks because the underlying conditions that make it work, NTLM authentication being used where it should not be, are difficult to fully eliminate without careful planning.
The mechanics are straightforward. NTLM is a challenge-response authentication protocol: a client proves its identity by responding to a challenge with a hash derived from its password. An attacker who can position themselves between the client and the server can capture that challenge-response exchange and replay it to a different target server, authenticating as the client without ever knowing the actual password. The attacker does not crack the credential; they relay it in real time.
What has changed significantly in recent years is how attackers force authentication in the first place. Coercion techniques such as PetitPotam, PrinterBug, and DFSCoerce allow an attacker with nothing more than a low-privilege domain account to force a Domain Controller to authenticate outbound to an attacker-controlled machine. That forced authentication, relayed to the AD CS HTTP enrollment endpoint or to LDAP with signing disabled, can yield a domain administrator certificate or a shadow credential, enabling full domain compromise in minutes.
This page covers the full coercion-to-relay attack chain, maps each step to Log360's detection rules, and provides the investigation workflow for responding when these rules fire.
NTLM relay and coercion, at a glance
| Severity | Critical |
| Category | Identity & Access |
| Attack variants covered | PetitPotam, PrinterBug (SpoolSS), DFSCoerce, SMB relay, LDAP relay, NTLM relay to AD CS (ESC8), ARP spoofing, DHCP spoofing, adversary-in-the-middle |
| MITRE ATT&CK tactics | TA0006 (Credential Access) |
| MITRE techniques | T1557 (Adversary-in-the-Middle), T1557.001 (LLMNR/NBT-NS Poisoning and SMB Relay), T1187 (Forced Authentication) |
| Platforms covered | Windows, Active Directory, SonicWall, Barracuda, Cisco |
| Log360 detection rules |
|
| SOC maturity level | Level 3 (incident response) |
| Compliance mapping | NIST CSF PR.AC-3, PCI-DSS 8.6, HIPAA Section 164.312(e)(1), ISO 27001 A.10.1 |
How NTLM relay attacks work
An NTLM relay attack has two phases that must happen in sequence: coercion (forcing a privileged machine to authenticate) and relay (forwarding that authentication to a target service). Neither phase alone is sufficient. Together they produce domain-level compromise in minutes.
Coercion: forcing NTLM authentication from a Domain Controller
The coercion phase exploits RPC interfaces that Windows exposes by default on domain-joined systems. PetitPotam abuses the EFS (Encrypting File System) RPC interface, specifically the EfsRpcOpenFileRaw function, to trigger an outbound NTLM authentication from any Windows host to an arbitrary IP. PrinterBug (also called SpoolSS) abuses the MS-RPRN print spooler RPC interface for the same purpose. DFSCoerce uses the MS-DFSNM (Distributed File System Namespace Management) interface. All three techniques require only a low-privilege domain account to execute and produce the same result: the targeted machine, typically a Domain Controller, authenticates outbound to the attacker's machine using its machine account credentials.
The critical property of machine account credentials in this context is their privilege level. A Domain Controller's machine account (DC$) has significant privileges within the domain, including the ability to request certificates with Client Authentication EKU via PKINIT. When a DC$ NTLM authentication is relayed to the AD CS enrollment endpoint, the CA issues a certificate for DC$, which the attacker then uses to obtain a Kerberos TGT for the DC account, effectively giving them Domain Admin-equivalent access.
Log signals: SMB named pipe access to \pipe\lsarpc, \pipe\efsr, \pipe\spoolss, or \pipe\netdfs from a non-DC machine to a DC (Sysmon Event 18 named pipe connection, or Windows Security Event 5145 for network share access). The PetitPotam detection rule specifically targets the EFS RPC coercion pattern.
Relay: forwarding captured authentication to a target service
Once the attacker's machine receives the NTLM authentication from the coerced DC, they forward it in real time to a target service. The relay must complete before the NTLM authentication session times out, typically within seconds. The three most impactful relay targets are AD CS (covered in the ADCS abuse use case), LDAP with signing disabled (enables adding shadow credentials or granting DCSync rights), and SMB to other domain-joined machines (enables remote command execution as the DC$ account).
The relay is performed by tools from the Impacket suite, primarily ntlmrelayx.py, or by ADCSPwn for AD CS-specific relay. These tools have distinctive process creation signatures that Log360's detection rules identify via Sysmon Event 1 logs. The relay itself is network-level and does not generate standard Windows authentication events on the attacker's machine, making tool-level detection the primary signal for the relay phase.
Log signals: Sysmon Event 1 (process creation) with Impacket, ntlmrelayx, ADCSPwn binary signatures. Network connections from the attacker's machine to the CA HTTP endpoint (port 80 or 443 to the CA server) or to LDAP (port 389/636) in the seconds following the coercion call.
Network-layer coercion: ARP spoofing and DHCP spoofing
Before RPC-based coercion techniques became widespread, attackers used network-layer attacks to intercept NTLM authentication that occurred naturally in the network. ARP spoofing poisons the ARP cache of target machines to redirect traffic through the attacker's host. DHCP spoofing serves a rogue DHCP response that sets the attacker's machine as the default gateway or DNS server. LLMNR and NBT-NS poisoning responds to broadcast name resolution queries with the attacker's IP, causing clients to authenticate to the attacker when attempting to access a non-existent share or host.
These techniques are older and generate more noise than modern RPC coercion, but they remain in use particularly in internal network assessments and in environments where RPC-based coercion is blocked at the host firewall. They are detectable at the network layer via ARP anomaly rules on perimeter devices and via network-based IDS signatures.
Log signals: ARP cache poisoning detected by perimeter devices (Barracuda, SonicWall), duplicate IP address alerts, DHCP lease anomalies, LLMNR/NBT-NS response from unexpected hosts.
Real-world campaigns
Ransomware pre-positioning: NTLM relay to AD CS for rapid domain compromise
Multiple ransomware operators, including Black Basta affiliates and Scattered Spider, have incorporated PetitPotam-to-AD CS relay into their standard pre-ransomware domain compromise workflow. After gaining initial access through phishing or credential stuffing, the group uses PetitPotam to coerce the nearest DC and relays the authentication to the AD CS enrollment endpoint using ADCSPwn or ntlmrelayx. The resulting DC$ certificate is used to perform a DCSync-equivalent credential dump via PKINIT-authenticated LDAP, yielding all domain credentials. From that point, ransomware deployment across the entire domain is typically accomplished within hours.
The operational appeal is speed and stealth: the entire coercion-to-relay-to-certificate chain can complete in under 60 seconds, generates no Event 4625 (failed logon) entries, and requires no prior knowledge of any user's password beyond the initial foothold account.
APT campaigns: LDAP relay for shadow credentials persistence
Several APT groups tracked by Microsoft and CrowdStrike have used NTLM relay to LDAP as a persistence mechanism rather than an initial compromise technique. After gaining domain access by other means, the group uses coercion and LDAP relay to write shadow credentials (the msDS-KeyCredentialLink attribute) to high-value accounts including domain administrators. Shadow credentials allow PKINIT authentication using an attacker-controlled certificate, providing persistent access that survives password resets and remains valid as long as the shadow credential entry persists in Active Directory.
CVE reference table
| CVE / Technique | Coercion method | Relay target | Log360 detection |
|---|---|---|---|
| CVE-2021-36942 (PetitPotam) | EFS RPC (EfsRpcOpenFileRaw via \pipe\lsarpc or \pipe\efsr) | AD CS HTTP enrollment, LDAP | Petitpotam detection (Critical), followed by HackTool - ADCSPwn Execution or HackTool - Impacket Tools Execution |
| PrinterBug / SpoolSS (MS-RPRN) | Print Spooler RPC (\pipe\spoolss) | AD CS, LDAP, SMB | Potential SMB Relay Attack Tool Execution (Critical), HackTool - Impacket Tools Execution |
| DFSCoerce (MS-DFSNM) | DFS Namespace Management RPC | AD CS, LDAP | Potential SMB Relay Attack Tool Execution, HackTool - Impacket Tools Execution |
| T1557.001 LLMNR/NBT-NS poisoning | Broadcast name resolution poisoning (Responder) | SMB, HTTP | Potential SMB Relay Attack Tool Execution, Adversary-in-the-Middle attack (Cisco), ARP spoofing rules |
| ARP spoofing (T1557) | ARP cache poisoning via gratuitous ARP | Any authenticated protocol | Possible ARP Attack Detected (SonicWall), Suspicious ARP activity detected - ARP spoofing (Barracuda), Duplicate IP Detected (Barracuda) |
| DHCP spoofing (T1557) | Rogue DHCP server response | Network traffic via rogue gateway/DNS | DHCP IP Spoof detected (SonicWall) |
Business impact
- Domain compromise in under 60 seconds. Modern coercion-to-relay chains, particularly PetitPotam to AD CS, can produce domain administrator-equivalent access in under a minute from a single low-privilege domain account. The speed of the attack leaves almost no time for human-in-the-loop detection and response; automated detection rules that fire at the coercion phase are the only realistic intervention point.
- No password knowledge required. NTLM relay attacks do not require the attacker to know any user's password. They exploit the authentication protocol itself. Password complexity policies, regular password rotation, and even PAM solutions provide no protection against a relay attack. The only effective mitigations are protocol-level controls: SMB signing, LDAP signing, EPA on AD CS, and disabling NTLM where Kerberos is available.
- Enabling downstream attacks. NTLM relay is rarely the end goal. It is the mechanism for obtaining credentials, certificates, or shadow credentials that enable everything that follows: DCSync, Golden Ticket creation, ransomware deployment, and persistent access. Stopping the relay stops the entire downstream chain before any of those consequences materialize.
- Difficulty of post-compromise cleanup. When a coercion-to-relay attack succeeds and shadow credentials or a DC$ certificate are obtained, remediating the compromise requires not just revoking the certificate or removing the shadow credential, but also identifying and closing every persistence mechanism the attacker may have established in the minutes between the relay and detection. Full AD compromise requires full AD remediation, which can take weeks.
Detecting NTLM relay and coercion with Log360
Log360's 10 detection rules for this use case cover both phases of the attack: coercion (the RPC call that forces NTLM authentication from the DC) and relay (the tool-level execution and network-layer techniques used to intercept and forward that authentication). For the Windows-based rules to fire, Sysmon process creation logs (Event 1) and named pipe events (Events 17 and 18) must be forwarding to Log360 from domain-joined endpoints. For the network-layer rules, perimeter device logs from SonicWall, Barracuda, and Cisco must be configured as log sources in Log360.
RPC coercion detection
| Rule name | Severity | Platform | MITRE technique | What it detects |
|---|---|---|---|---|
| Petitpotam detection | Critical | Windows | T1557.001 | PetitPotam coercion activity via the EFS RPC interface. The rule fires on the named pipe access pattern used by PetitPotam (\pipe\lsarpc or \pipe\efsr) combined with the EfsRpcOpenFileRaw call pattern that triggers outbound NTLM authentication from the targeted host. Critical severity because there are no legitimate use cases for this specific RPC call pattern in production environments. Any detection is high-confidence malicious activity. |
Relay tool detection
| Rule name | Severity | Platform | MITRE technique | What it detects |
|---|---|---|---|---|
| Potential SMB Relay Attack Tool Execution | Critical | Windows | T1557.001 | Execution of known SMB relay frameworks including Impacket's ntlmrelayx.py, Responder, and similar tooling, detected via Sysmon process creation. Covers the relay phase of both PetitPotam-based coercion and LLMNR/NBT-NS poisoning attacks. Critical severity: SMB relay tool execution has no legitimate use in production environments outside of authorized security assessments. |
| HackTool - Impacket Tools Execution | Trouble | Windows | T1557.001 | Impacket suite binary or script execution detected via Sysmon process creation. Impacket's ntlmrelayx is the primary tool used for relaying coerced NTLM authentications to AD CS, LDAP, and SMB targets. The rule covers Impacket binary signatures, Python script execution with Impacket-specific import and argument patterns, and invocation through scripting wrappers. |
| HackTool - ADCSPwn Execution | Trouble | Active Directory | T1557.001 | ADCSPwn tool execution detected via Sysmon process creation. ADCSPwn is a purpose-built NTLM relay tool specifically targeting the AD CS HTTP enrollment endpoint, automating the ESC8 attack chain in a single command. Its process creation signature is highly distinctive and specific to this attack category. |
Network-layer relay and interception detection
| Rule name | Severity | Platform | MITRE technique | What it detects |
|---|---|---|---|---|
| Adversary-in-the-Middle attack | Trouble | Cisco | T1557 | Cisco network device detection of adversary-in-the-middle conditions, covering ARP-based and other network-layer interception techniques that position an attacker between a client and a server to intercept NTLM authentication in transit. |
| Possible ARP Attack Detected | Trouble | SonicWall | T1557 | SonicWall detection of ARP-based attack patterns including ARP cache poisoning via gratuitous ARP floods or ARP responses that do not correspond to an existing DHCP lease. ARP poisoning is the foundational technique for network-layer NTLM relay attacks in switched network environments. |
| Suspicious ARP activity detected - ARP spoofing | Trouble | Barracuda | T1557.001 | Barracuda network appliance detection of ARP spoofing activity, specifically ARP responses from a host claiming an IP address that does not match its DHCP-assigned address or its previously observed ARP mapping. High-confidence indicator of an active network-layer relay positioning attempt. |
| DHCP IP Spoof detected | Trouble | SonicWall | T1557 | SonicWall detection of a rogue DHCP server or DHCP IP spoofing activity on the network. A rogue DHCP server can set the attacker's machine as the default gateway or DNS server for newly connected clients, routing their authentication traffic through the attacker without requiring ARP manipulation. |
| Duplicate IP Detected | Trouble | Barracuda | T1557 | Two distinct MAC addresses claiming the same IP address on the network segment, detected by Barracuda. Duplicate IP conditions are characteristic of ARP spoofing attacks and can also indicate a rogue host attempting to take over a legitimate machine's network identity for relay purposes. |
| Possible SHLO replay attack | Trouble | SonicWall | T1557 | SonicWall detection of a Session Layer Hello (SHLO) replay attack, a technique used to replay captured session initialization packets to hijack established authenticated sessions at the network layer. This is a lower-level variant of the relay concept applied to session-layer protocols. |
Attack chain visibility
The detection rules above cover two distinct points in the attack chain: the coercion call (Petitpotam rule) and the relay tool execution (Impacket, ADCSPwn, SMB relay rules). Both firing within a short time window on related hosts is a confirmed active attack. The sequences below show what the log record looks like for the two most operationally significant variants.
Sequence A: PetitPotam to AD CS relay (ESC8)
| Step | Log source and event | What it indicates | Time offset |
|---|---|---|---|
| 1 | Sysmon Event 18 (Named Pipe Connected) on DC | An external host connected to \pipe\lsarpc or \pipe\efsr on the DC. This is the PetitPotam coercion call. The Petitpotam detection rule fires. The DC will now authenticate outbound to the attacker's machine. | T+0 |
| 2 | Sysmon Event 1 (Process Creation) on attacker host | ADCSPwn or ntlmrelayx executes on the attacker's machine concurrently with the coercion call. HackTool - ADCSPwn Execution or HackTool - Impacket Tools Execution rule fires. The tool is receiving the DC$ NTLM authentication and forwarding it to the CA HTTP endpoint. | T+0 (concurrent) |
| 3 | Windows Security Event 4887 (CA audit log) | The CA issues a certificate in the name of the DC$ machine account. Certificate issuance for a machine account with Client Authentication EKU, triggered by an HTTP enrollment request from a non-CA-management IP, is the forensic indicator of a successful ESC8 relay. | T+1 min |
| 4 | Windows Security Event 4768 (Kerberos TGT) | PKINIT authentication using the newly issued DC$ certificate produces a TGT for the DC account. The attacker now has Kerberos access equivalent to the Domain Controller machine account, enabling DCSync or shadow credential operations. | T+2 min |
Sequence B: ARP spoofing to SMB relay
| Step | Log source and event | What it indicates | Time offset |
|---|---|---|---|
| 1 | Barracuda / SonicWall network logs | ARP spoofing detected: a host is broadcasting ARP responses claiming an IP that belongs to another device. Suspicious ARP activity detected or Possible ARP Attack Detected rule fires. The attacker is positioning themselves to intercept traffic between targeted hosts. | T+0 |
| 2 | Sysmon Event 1 (Process Creation) | Responder or ntlmrelayx executes on the attacker's machine. Potential SMB Relay Attack Tool Execution rule fires. The tool is listening for NTLM authentication from hosts whose traffic has been redirected via the ARP poison. | T+0 to T+5 min |
| 3 | Windows Security Event 4624 (Type 3 logon) | A successful NTLM network logon is recorded on the relay target machine, authenticated as a domain user whose traffic was intercepted. The source IP belongs to the attacker's relay machine. This is the relay completion event. | T+5 to T+15 min |
Investigation playbook
NTLM relay investigations are time-critical. The coercion-to-relay chain can complete in under 60 seconds, and a successful relay that produces a DC$ certificate or shadow credential gives the attacker persistent domain-level access that survives the termination of the relay tool itself. By the time the detection rule fires, the relay may already be complete. The investigation goal is to determine whether the relay succeeded, what credential or certificate was obtained, and whether persistence has been established.
Step 1: Triage - determine which phase was detected
| Rule that fired | Phase detected | Relay complete? | First action |
|---|---|---|---|
| Petitpotam detection | Coercion call received by DC | Unknown: coercion fired but relay may not have completed yet. Check immediately for concurrent relay tool execution. | Check Sysmon logs on all hosts in the same subnet for concurrent ADCSPwn or Impacket execution within the same 60-second window. Check CA audit log (Event 4887) for certificate issuance in the same window. |
| HackTool - ADCSPwn Execution or HackTool - Impacket Tools Execution | Relay tool executing on attacker host | Possibly complete: tool was running. Check CA audit for issuance. | Check CA audit log immediately for Event 4887 (certificate issuance) from the attacker's host IP. Check Kerberos logs for PKINIT TGT requests using a DC$ certificate in the minutes following. |
| Potential SMB Relay Attack Tool Execution | Relay tool executing for SMB or general relay | Possibly complete. Check for successful logons from the relay tool host. | Check Event 4624 (successful logon, Type 3) on domain-joined machines where the source IP matches the relay tool host. A successful relay produces an authenticated session on the target machine. |
| ARP spoofing rules (Barracuda, SonicWall) | Network-layer positioning in progress | Not yet: ARP poison detected before relay completion. | Identify the host generating the ARP poison from the alert. Block that host's network access. Check for concurrent Responder or ntlmrelayx execution on the same host via Sysmon logs. |
Step 2: Determine if the relay succeeded
- For AD CS relay: query the CA audit log for Event 4887 (certificate issuance) in the 5 minutes following the coercion event. Look specifically for certificates issued for machine accounts (accounts ending in $) with Client Authentication EKU from an HTTP enrollment request originating from an unexpected source IP. This is the definitive indicator of a successful ESC8 relay.
- For LDAP relay: check for changes to the msDS-KeyCredentialLink attribute on any AD object in the same time window. This attribute being written by an unexpected source is the shadow credentials persistence indicator. Query AD object modification events (Event 5136) on domain controllers.
- For SMB relay: check Event 4624 (Type 3, NTLM authentication) on target machines where the source IP is the attacker's relay host rather than the authenticated account's normal workstation.
- For PKINIT usage of a relay-obtained certificate: check Event 4768 (Kerberos TGT request) for certificate-based pre-authentication from an IP that matches the relay tool host. A TGT issued for DC$ from an unexpected IP is confirmation the relay produced a usable credential.
Step 3: Investigate using the Incident Workbench
- Click on the attacker's source IP or the affected DC hostname in the alert to open the Incident Workbench. Use the Process analytics tab on the host where Impacket, ADCSPwn, or SMB relay tools were detected. The process tree shows what spawned the relay tool, what commands followed it, and whether post-relay actions (DCSync, LDAP queries, certificate usage) occurred on that machine.
- Use Advanced Threat Analytics on the attacker's source IP to check threat feed risk scores. IPs used for coercion and relay attacks in production environments are frequently associated with known attack infrastructure or prior incident records.
- If the coercion originated from an internal host (indicating the attacker already has an internal foothold), open the Incident Workbench for the user or machine account associated with that host to understand the prior compromise chain.
- Save the Incident Workbench session to an incident. Preserve the process tree from the relay host and the CA audit log export as the primary evidence record.
Step 4: Assess persistence established
- If a DC$ certificate was issued, treat the certificate as a standing credential for
domain-level access until it is explicitly revoked. Check the CA audit log for the
certificate serial number and revoke it immediately using
certutil -revoke <SerialNumber>followed by a CRL push. - Query all AD objects for recent msDS-KeyCredentialLink attribute modifications (Event 5136, attribute OID 1.2.840.113556.1.4.2328). Any write to this attribute by a non-standard source is a shadow credential implanted for persistent access.
- Check whether any new user accounts, service accounts, or group memberships were created in the period following the relay, using the relay-obtained credential. DC$ machine account access can be used for AD object manipulation.
- Verify whether the attacker used the relay credential to modify Kerberos delegation settings or trust relationships on any AD objects, which would extend the persistence surface beyond the directly compromised accounts.
Step 5: Collect evidence and build the timeline
- Export the Sysmon Event 1 and Event 18 logs from the DC and the attacker's host covering the attack window. These are the primary forensic records showing the coercion call, the relay tool execution, and any post-relay process activity.
- Export the CA audit log (Events 4886 and 4887) for the investigation period. If a certificate was issued, the serial number, template, requesting identity, and source IP are all recorded here and are required for revocation and for proving scope of compromise.
- Export Kerberos Event 4768 logs from domain controllers for the period following the relay, filtered for certificate-based pre-authentication and for TGT requests from the attacker's IP.
- Export the investigation timeline from Log360 as the compliance artifact for NIST CSF DE.AE-5 (incident analysis) and PCI-DSS Requirement 10.7.
Response and remediation
Immediate containment
- Isolate the relay host from the network. The machine running the relay tool is the attacker's primary operational platform for this attack. Network isolation prevents completion of any in-progress relay and prevents the attacker from using a relay-obtained credential for subsequent access. Isolation should occur within seconds of the relay tool detection rule firing.
- Revoke any certificates issued during the attack window. Check the CA audit
log for any certificates issued in the 5 minutes surrounding the coercion event. Revoke all
suspicious issuances using
certutil -revoke <SerialNumber>and publish an updated CRL immediately. - Remove any shadow credentials implanted via LDAP relay. Query AD for recent msDS-KeyCredentialLink modifications and remove any attacker-added entries. This requires identifying the specific attribute value added by the relay and removing it from the affected AD object.
- Perform a double krbtgt password reset if domain-level access via a relay-obtained certificate or shadow credential is confirmed. Two resets within the Kerberos ticket lifetime window (typically 10 hours) are required to invalidate all Kerberos tickets issued using the compromised DC$ credential.
Response actions by trigger
| Trigger | Immediate action | Owner |
|---|---|---|
| Petitpotam detection only (no relay tool firing) | Isolate source host. Check concurrently for relay tool execution and CA issuance. Block the EFS RPC pipe at host firewall on all DCs as an emergency measure. | SOC L2 |
| Petitpotam + ADCSPwn or Impacket firing concurrently | Active relay in progress. Isolate relay host immediately. Check CA audit for issuance. If certificate issued, revoke within minutes. Declare incident. | SOC L3 + Incident Response |
| Confirmed DC$ certificate issued | Revoke certificate, push CRL, perform double krbtgt reset, check for shadow credentials, begin full AD compromise assessment. | Incident Response + AD Team |
| ARP spoofing rules (no relay tool detected) | Isolate the ARP spoofing host. Check for relay tool execution. If internal host is ARP poisoning, treat as compromised and begin investigation. | SOC L2 |
| SMB relay tool without confirmed successful relay | Isolate tool host. Check Event 4624 on target machines for authenticated sessions from the tool host. Treat as active incident if any found. | SOC L2 + Incident Response |
Hardening
- Enable SMB signing on all domain-joined machines. SMB signing is the single most effective control against SMB relay attacks. With signing enforced, a relayed authentication cannot be used to establish an SMB session because the attacker cannot produce valid signatures. Configure via Group Policy: Microsoft network server: Digitally sign communications (always) set to Enabled.
- Enable LDAP signing and channel binding on all domain controllers. LDAP signing prevents NTLM relay to LDAP by requiring the authentication to be cryptographically bound to the LDAP session. Configure via Group Policy: Domain controller: LDAP server signing requirements set to Require signing.
- Enable Extended Protection for Authentication (EPA) on the AD CS HTTP enrollment endpoint. EPA binds NTLM authentication to the TLS channel, preventing relay to the certsrv endpoint. This directly closes the ESC8 attack path. Configure in IIS on the CA server by enabling Windows Authentication with Extended Protection set to Required.
- Disable the Print Spooler service on Domain Controllers. The Print Spooler
service is the enabler of PrinterBug coercion. Domain Controllers do not need the Print
Spooler service for their function, and disabling it eliminates one coercion vector
entirely. Configure via Group Policy or directly via
sc config spooler start=disabledon each DC. - Block NTLM authentication to Domain Controllers via Conditional Access policies. Where Kerberos is available (which it should be for all internal domain resources), NTLM authentication to DCs can be blocked via the Group Policy setting: Network security: Restrict NTLM: NTLM authentication in this domain set to Deny all.
False positive tuning
| False positive source | Rules affected | Tuning strategy |
|---|---|---|
| Authorized penetration testing and red team exercises | Petitpotam detection, HackTool - Impacket Tools Execution, HackTool - ADCSPwn Execution, Potential SMB Relay Attack Tool Execution | Create a time-bounded exception scoped to the authorized assessment source IP range, tied to the approved change ticket. Remove the exception immediately when the assessment window closes. Never create permanent exclusions for coercion or relay tool detection rules. The Petitpotam rule in particular should never have a permanent exclusion in any production environment. |
| Network monitoring tools generating ARP probes | Possible ARP Attack Detected, Suspicious ARP activity detected, Duplicate IP Detected | Network monitoring agents and vulnerability scanners sometimes generate ARP probe traffic that triggers ARP anomaly rules. Identify the IP addresses of known monitoring hosts and create source-IP-scoped exceptions for those specific hosts. Verify that the monitoring tool's ARP traffic pattern matches the exception before creating it: probing is distinct from spoofing. |
| DHCP failover and redundancy configurations | DHCP IP Spoof detected | DHCP failover configurations can generate DHCP traffic patterns that resemble spoofing to perimeter devices. Whitelist the known DHCP failover partner server IPs from this rule. Verify that the DHCP traffic originates from the known secondary DHCP server IP before creating the exception. |
| Virtual machine migration and live migration events | Duplicate IP Detected, Possible ARP Attack Detected | VM live migration briefly creates a duplicate MAC-to-IP mapping as the VM moves between hypervisor hosts. This can trigger duplicate IP or ARP anomaly rules during the migration window. Correlate these alerts with known VM migration schedules or vCenter/Hyper-V migration events. Create a time-bounded exception during planned migration maintenance windows. |
