security analyst security skill risk: medium

NTLM Relay Attack Event Log Analyzer

The prompt defines procedures for detecting NTLM relay attacks via Windows Event 4624 type-3 logons with NTLMSSP, IP-hostname mismatches, rapid authentications, named pipe access,…

SKILL 4 files · 2 folders

SKILL.md

Download

---
name: hunting-for-ntlm-relay-attacks
description: "Detect NTLM relay attacks by analyzing Windows Event 4624 logon type 3 with NTLMSSP authentication, identifying"
---
# Hunting for NTLM Relay Attacks

## Overview

NTLM relay attacks intercept and forward NTLM authentication messages to gain unauthorized access to network resources. Attackers use tools like Responder for LLMNR/NBT-NS poisoning and ntlmrelayx for credential relay. This skill detects relay activity by querying Windows Security Event 4624 (successful logon) for type 3 network logons with NTLMSSP authentication, identifying mismatches between WorkstationName and source IpAddress, detecting rapid multi-host authentication from single accounts, and auditing SMB signing configuration across domain hosts.


## When to Use

- When investigating security incidents that require hunting for ntlm relay attacks
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques

## Prerequisites

- Python 3.9+ with Windows Event Log access or exported logs
- Windows Security audit logging enabled (Event ID 4624, 4625, 5145)
- Network access for SMB signing status checks

## Key Detection Areas

1. **IP-hostname mismatch** — WorkstationName in Event 4624 does not resolve to the source IpAddress
2. **NTLMSSP authentication** — logon events using NTLM instead of Kerberos from domain-joined hosts
3. **Machine account relay** — computer accounts (ending in $) authenticating from unexpected IPs
4. **Rapid authentication** — single account authenticating to multiple hosts within seconds
5. **Named pipe access** — Event 5145 showing access to Spoolss, lsarpc, netlogon, samr pipes
6. **SMB signing disabled** — hosts not enforcing SMB signing, enabling relay attacks

## Output

JSON report with suspected relay events, IP-hostname correlation anomalies, SMB signing audit results, and MITRE ATT&CK mapping to T1557.001.

REQUIRED CONTEXT

Windows Security Event 4624 logs
Windows Event 5145 logs

EXPECTED OUTPUT

Format

json

Schema

json · suspected relay events, IP-hostname correlation anomalies, SMB signing audit results, MITRE ATT&CK mapping

Constraints

include suspected relay events
include IP-hostname correlation anomalies
include SMB signing audit results
include MITRE ATT&CK mapping to T1557.001

SUCCESS CRITERIA

Detect relay activity via Event 4624 analysis
Identify IP-hostname mismatches and rapid authentications
Audit SMB signing status
Map findings to T1557.001

CAVEATS

Dependencies

Python 3.9+ with Windows Event Log access or exported logs
Windows Security audit logging enabled (Event ID 4624, 4625, 5145)
Network access for SMB signing status checks

Missing context

Exact JSON schema or example output structure
Sample queries, code snippets, or log field mappings

Ambiguities

YAML frontmatter description is truncated mid-sentence ('identifying')

QUALITY

OVERALL: 0.68
CLARITY: 0.80
SPECIFICITY: 0.65
REUSABILITY: 0.55
COMPLETENESS: 0.70

IMPROVEMENT SUGGESTIONS

Complete the truncated YAML description sentence.
Add a minimal example JSON report to clarify the expected Output format.

USAGE

Copy the prompt above and paste it into your AI of choice — Claude, ChatGPT, Gemini, or anywhere else you're working. Replace any placeholder sections with your own context, then ask for the output.