Full Report
In An SMB Relay Race – How To Exploit LLMNR and SMB Message Signing for Fun and Profit, Jordan Drysdale shared the dangers of lack of SMB Signing requirements and […] The post Bypass NTLM Message Integrity Check – Drop the MIC appeared first on Black Hills Information Security, Inc..
Analysis Summary
# Tool/Technique: SMB Relay to LDAPS via NTLM MIC Removal
## Overview
This technique focuses on leveraging known vulnerabilities and misconfigurations in Active Directory environments to escalate privileges from network access to Domain Admin capabilities by relaying NTLM authentication traffic from an SMB connection to an LDAPS endpoint on a Domain Controller. The core enabler is the ability to bypass the NTLM Message Integrity Check (MIC), often related to CVE-2019-1040, allowing unmodified relaying of authentication attempts.
## Technical Details
- Type: Technique/Exploit Chain
- Platform: Windows Active Directory environment (Targeting Domain Controllers for LDAP/LDAPS)
- Capabilities: Credential relay, computer object creation, privilege escalation.
- First Seen: Related components (LLMNR/SMB relay) are long-standing; the specific exploitation of the NTLM MIC bypass is generally associated with disclosures around 2019 (CVE-2019-1040).
## MITRE ATT&CK Mapping
- **TA0005 - Privilege Escalation**
- T1078.003 - Valid Accounts: Domain Accounts
- **TA0011 - Credential Access**
- T1557.002 - Man-in-the-Middle: Protocol Spoofing (LLMNR/SMB Poisoning often precedes the relay)
- **TA0006 - Credential Access**
- T1110.003 - Brute Force: Password Guessing (If captured credentials are later cracked, though not the focus here)
- **TA0008 - Lateral Movement**
- T1021.004 - Remote Services: SMB/Windows Admin Shares (Initial traffic source for relay)
## Functionality
### Core Capabilities
- **LLMNR/NetBIOS Poisoning (via Responder):** Waiting for broadcast traffic to redirect authentication requests to the attacker's machine.
- **NTLM Relay:** Capturing the NTLM challenge/response sequence over SMB.
- **MIC Removal:** Exploiting the "drop the MIC" vulnerability (related to CVE-2019-1040) in the NTLM handshake to forward NTLM authentication to LDAPS.
- **Computer Object Creation:** Utilizing the `ms-ds-machineaccountquota` (default 10) configuration setting to create a new computer object in the domain using the relayed credentials.
### Advanced Features
- **SMB to LDAPS Relay:** Successfully bridging the gap between standard SMB authentication capture and interaction with the Domain Controller over secure LDAP (LDAPS).
- **Automated Domain Object Creation:** Using the `--add-computer` flag in `ntlmrelayx.py` to automatically provision a new domain machine account, thereby gaining legitimate domain credentials (potentially DA level if relaying credentials from a privileged source, or restricted user level if relaying from a standard authenticated user).
## Indicators of Compromise
- File Hashes: Not specified in context (Relies on executing tools).
- File Names: `ntlmrelayx.py` (Impacket), `Responder.conf`, `Responder.py`.
- Registry Keys: Not applicable.
- Network Indicators: Initial SMB connection attempts targeting the attacker's machine that should typically be blocked/secured, followed by connection attempts from the attacker towards the DC (`10.10.10.1` in the example) over port 636 (LDAPS) or port 389 with SSL negotiation.
- Behavioral Indicators:
* An authenticated user attempts to connect via SMB to a host that is offering LLMNR/SMB poisoning services.
* Unusual outbound LDAPS connection initiation from the attacker's relay machine to a Domain Controller.
* Creation of a new computer object (e.g., `snowmachine2$`) in Active Directory by an untrusted source/system.
## Associated Threat Actors
The tools used (`Impacket`, `Responder`, `CrackMapExec`) are common in penetration testing and red teaming engagements, though they are frequently leveraged by various threat groups during the initial compromise or privilege escalation phases in Active Directory environments. Specific threat actor attribution is not provided in the text snippet.
## Detection Methods
- **Signature-based detection:** Signatures for the specific command line arguments used with `ntlmrelayx.py` (e.g., inclusion of `--remove-mic` targeting an LDAPS endpoint).
- **Behavioral detection:** Monitoring Domain Controllers for unexpected LDAP/LDAPS binding attempts originating from internal hosts that do not normally communicate on those protocols for this purpose. Monitoring for machines suddenly creating computer accounts without corresponding provisioning logs.
- **YARA rules:** Not applicable for identifying the execution of standard Python tools unless custom binaries or modified scripts were used.
## Mitigation Strategies
- **Prevention Measures:**
* **Mandate SMB Message Signing:** Configure Domain Controllers and member servers to require SMB signing to prevent relay attacks against these services.
* **Disable LLMNR/NetBIOS Broadcasts** on all hosts where possible within secure network segments.
* **Restrict `ms-ds-machineaccountquota`:** Set the `ms-ds-machineaccountquota` attribute to 0 on the domain object or a value appropriate for only trusted IT systems, requiring administrator approval for new computer object creation.
- **Hardening Recommendations:**
* Implement network segmentation to prevent unauthorized hosts from communicating over authentication protocols (like SMB) across broad segments.
* Apply patches for **CVE-2019-1040** (and related NTLM hardening).
* Ensure endpoint protection detects the execution patterns of tools like Impacket and Responder.
## Related Tools/Techniques
- **Impacket:** A collection of Python classes for working with network protocols, including `ntlmrelayx.py`.
- **Responder:** Used for poisoning LLMNR and NetBIOS name resolution.
- **CrackMapExec (CME):** Used here to test the captured computer account credentials.
- **CVE-2019-1040 ("Drop the MIC"):** The underlying vulnerability allowing the NTLM authentication stream modification.