X-Industry

NTLM Relaying

Posted by Bill Schenkelberg on December 26, 2024 at 12:50pm

13349566864?profile=RESIZE_400xIn February 2024, Microsoft released an update to Exchange Server which contained a security improvement referenced by CVE-2024-21410 that enabled Extended Protection for Authentication (EPA) by default for new and existing installs of Exchange 2019.  While we’re currently unaware of any active threat campaigns involving NTLM relaying attacks against Exchange, we have observed threat actors exploiting this vector in the past. 

With the release of Windows Server 2025 earlier this month, we released a similar security improvement to Azure Directory Certificate Services (AD CS) by enabling EPA by default. Additionally, as part of the same Windows Server 2025 release, LDAP now has channel binding enabled by default.  These security enhancements mitigate risk of NTLM relaying attacks by default across three on-premise services: Exchange Server, Active Directory Certificate Services (AD CS), and LDAP.[1]

Background - NTLM relaying is a popular attack method used by threat actors that allows for identity compromise. An NTLM relay attack typically involves two steps:

  • Coercing a victim to authenticate to an arbitrary endpoint.
  • Relaying the authentication against a vulnerable target.

By forwarding or relaying credentials to a vulnerable endpoint, attackers can authenticate and perform actions on behalf of the victim.  This gives attackers an initial foothold for further domain compromise.  To stop exploitation in its tracks, it’s essential to address the first class of issues.  These vulnerabilities provide attackers with an initial primitive for exploitation.  However, to comprehensively mitigate relaying attacks, we need to holistically address vulnerable services by default.  Since EPA or other channel binding mechanisms ensure that clients can only authenticate to their intended server, these mitigations play an important role in securing services against NTLM relay attacks.

Enabling NTLM Relay mitigations - In the past, Microsoft observed threat actors exploiting services that lack NTLM relaying protections.  These include CVE-2023-23397 (an Outlook entry point relayed against Exchange server), CVE-2021-36942 (a LSARPC entry point relayed against Active Directory Certificate Services (AD CS)), and ADV190023 (a WPAD entry point relayed against Lightweight Directory Access Protocol (LDAP)). From these instances, attackers clearly leverage relaying attacks in their campaigns.

In response to these observed NTLM relaying attacks, Microsoft released guidelines for enabling EPA on AD CS, LDAP, and Exchange Server.  While this measure does help protect domains against NTLM relaying attacks, it requires manual intervention from a network administrator, which may not be feasible in all environments.  Therefore, we have been working to enable NTLM relaying protections by default, which would automatically safeguard environments against such attacks. 

Exchange Server - It is important to note the unique role that Exchange Server plays in the NTLM threat landscape, which is why we prioritized hardening it by default.  Office documents and emails sent through Outlook serve as effective entry points for attackers to exploit NTLM coercion vulnerabilities, given their ability to embed UNC links within them.  Recent vulnerabilities involving NTLM and Office applications include CVE-2024-21413, CVE-2023-23397, and CVE-2023-36563. While we actively fix specific instances of NTLM authentication coercion, attackers often use these vulnerabilities to relay authentication against a vulnerable server, which can lead to compromise of a victim’s account.  Exchange Server can be the prime target in such cases since it is a frequently used mail provider across enterprises. 

Earlier this year, with the release Exchange Server 2019 CU 14, Exchange Server now has EPA enabled by default.  Exchange Server 2016 is in extended support, and no further CUs are planned for this version.  Customers using Exchange Server 2016 can enable EPA via a script.

Researchers recognize that EPA may not be trivial to enable for all environments.  A significant portion of enabling EPA by default involved supporting additional scenarios that were not compatible with EPA before.  For more information on EPA enablement in your environment, refer to the guidance provided in both the security advisory and the Exchange update blog.

AD CS and LDAP – Microsoft is also excited to announce that the latest Windows Server 2025, which is now generally available, ships with EPA enabled by default for both AD CS and LDAP. Note that the current default setting for EPA in Server 2025 is Enabled - When supported, to allow clients that do not support channel bindings to omit them.  A stronger EPA security setting for enterprises who do not need to support legacy clients is Enabled – Always, and we hope to move the needle further in future versions of Windows.  Additionally, Administrators on Windows Server 2022 and 2019 can manually enable EPA for AD CS and Channel binding for LDAP.  Analysts has enabled auditing support for LDAP to identify machines that do not support channel binding to help IT administrators move towards enabling channel binding by default by upgrading to versions that support channel binding. 

With the security-focused default settings for EPA on Exchange Server 2019 CU14 released earlier this year and for AD CS and LDAP released as part of Windows Server 2025, we have enforced strong defenses against preventing NTLM relay attacks on those versions.  Additional changes to default EPA enablement are currently in the pipeline for more Windows services.  Moving forward, we will continue our efforts to enable EPA across more services by default in future versions, aiming to eliminate this class of NTLM relay attacks entirely.

Looking ahead: The future of NTLM - NTLM is a legacy protocol and we have been recommending users to prepare for NTLM being disabled by default in a future version of Windows.  Microsoft has also been encouraging customers to catalogue and reduce dependencies of NTLM usage and explore moving over to modern authentication protocols like Kerberos.  In the interim, researchers are exploring various strategies to harden against NTLM attacks.  A notable development is that in Windows Server 2025 and Windows 11 24H2, NTLMv1 has been removed and the more commonly used NTLM v2 is deprecated.  Additionally, admins now have the option to configure SMB to block NTLM. 

The progress towards enforcing secure by default across the ecosystem is aligned with principles from Microsoft’s Secure Future Initiative.  As analysts progress towards disabling NTLM by default, immediate, short-term changes, such as enabling EPA in Exchange Server, AD CS and LDAP reinforce a ‘secure by default’ posture and safeguard users from real-world attacks.  Microsoft looks forward to investing in more secure-by-default NTLM hardening measures across supported versions in the near future.

The Microsoft security mitigations presented are a result of the tremendous work across multiple teams and organizations within Microsoft, notably, Exchange and Windows. 

This article is shared at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  Red Sky provides indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC).  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com    

Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://register.gotowebinar.com/register/5378972949933166424

[1] https://msrc.microsoft.com/blog/2024/12/mitigating-ntlm-relay-attacks-by-default/

Views: 20
Tags: ir-24-355-002, ntlm, relaying, ldap, ad, cs, epa
E-mail me when people leave their comments –
Follow

You need to be a member of Red Sky Alliance to add comments!