NTLM Relay Attacks in 2025: Rising Threats and How to Defend Your Active Directory

NTLM relay attacks, once thought to be a relic of the past, have re-emerged as a significant threat in modern Active Directory environments. Despite years of research and incremental security improvements, most enterprise domains remain susceptible to these attacks, creating wide-reaching risks for lateral movement and privilege escalation. Recent incident response data and penetration test results underscore that NTLM relay techniques are resurging in real-world exploit chains, refuting the widespread perception that these vulnerabilities had been “solved.” Understanding why NTLM relay remains prevalent, how attackers exploit it, and what can be done to enforce effective mitigations is crucial for defenders in 2025.

Understanding NTLM: The Legacy That Lingers​

NTLM (NT LAN Manager) is an authentication protocol dating back to the 1990s. While newer protocols like Kerberos—introduced with Windows 2000—are now preferred in Active Directory (AD) environments for their enhanced security and flexibility, NTLM persists as a fallback. In many cases, NTLM is called directly by legacy applications or hardcoded in software integrating with Windows authentication. The “Negotiate” package is supposed to favor Kerberos when available, but this fails if either party doesn’t support it or if direct NTLM calls are present in the software stack.
The core NTLM authentication protocol stages involve:

• Negotiate — Client replies with supported security features.
• Challenge — Server returns a nonce (challenge) to the client.
• Authenticate — Client responds with a hash derived from the challenge and its secret.

This cryptographic handshake aims to make each authentication unique and resistant to replay, where intercepted authentication messages are used later to gain access.

The Problem: NTLM Relay Attacks Demystified​

While it effectively thwarts replay attacks, NTLM is fundamentally vulnerable to “relay” attacks. In a relay scenario, an adversary intercepts authentication messages between a legitimate client and server and passes them along unaltered to another server. Because NTLM doesn’t bind the authentication process to a specific server or endpoint, the attacker can impersonate the victim wherever their credentials are accepted, gaining the same level of access as the relayed user.
A common misconception is that such an attack requires opportunity—i.e., waiting for the victim to authenticate at a vulnerable moment. In reality, attackers weaponize “authentication coercion” bugs to forcibly trigger immediate authentication attempts, making relay practical and scalable.

How Coerced Authentication Amplifies the Threat​

Techniques like the Printer Bug and PetitPotam have learned to provoke systems into initiating NTLM authentication on demand. Any authenticated user can initiate these techniques, so the attack surface is massive. Once coerced, the attacker's relay machine simply carries NTLM messages between a duped client and a vulnerable server undetected, creating backdoor access to sensitive enterprise assets.

Key Targets for NTLM Relay in 2025​

NTLM relay attacks focus on three principled targets, each exposing unique next steps and risks for enterprise defenders:

1. SMB Servers: The Most Unforgiving Vector​

Server Message Block (SMB) is integral to Windows file sharing and remote management. A successful NTLM relay to SMB enables attackers to:

• Access administrative shares like C$ or ADMIN$.
• Dump LSA secrets (credentials stored in memory) via Remote Registry.
• Move laterally by controlling Service Control Manager.
• Seize control over critical infrastructure, like the SCCM (System Center Configuration Manager) site or database servers.

Noteworthy: Microsoft has started enforcing SMB signing by default in Windows Server 2025 and Windows 11—this thwarts unauthenticated man-in-the-middle modifications, which are essential for relay attacks. However, as of now, older versions still ship with SMB signing off by default and few organizations manually enable it, perpetuating legacy risk.

2. LDAP and LDAPS: Gold Mines for Escalation​

LDAP (Lightweight Directory Access Protocol) and its encrypted variant, LDAPS, form the backbone of directory services in AD environments. Relaying NTLM authentication to these services can yield:

• Unauthorized directory data access.
• Object manipulation (e.g., group memberships, permissions).
• Elevated privilege acquisition with further lateral movement.

Mitigations like LDAP signing and LDAP channel binding exist and are effective, but, crucially, are not enforced by default on most domain controllers. It’s possible for different DCs in the same forest to have varying configurations, creating inconsistent protection. Encouragingly, Windows Server 2025 now mandates encryption (“sealing”) with LDAP SASL bind sessions by default, limiting the feasibility of this attack—but only as organizations upgrade their controllers.

3. ADCS Web Enrollment (ESC8): Certificates for Impersonation​

Active Directory Certificate Services (ADCS) can unwittingly provide attackers with cryptographic certificates for victim accounts through NTLM relay. This lets adversaries fully impersonate a user, persist stealthily, or extend attacks into hybrid cloud. Exploiting this vector is more involved—requiring the right certificate templates and CA configurations—but is a devastating capability.
The default “Machine” template on ADCS is one of the most common culprits, potentially exposing every computer in the domain if relaying is feasible. The attack gains further potency in cloud-integrated environments using certificate-based authentication.

Why the Problem Isn’t Going Away​

Despite advances like SMB signing and channel binding, the reality is that most organizations do not enable these controls. This is often because legacy applications or older servers don’t support these newer features, and changing them risks operational disruptions. The lack of default enforcement means environments are effectively “opt-in” for relay protection.
Additionally, disabling NTLM outright is not practical for many enterprises, due to legacy dependencies and software incompatibility. Microsoft has officially stated plans to disable NTLM by default but acknowledges that this transition may be years out, leaving a long window where exposure remains high.
Complicating matters, the elevation of new relay and coercion techniques—developed at a faster pace than mitigations are broadly deployed—means that even informed organizations struggle to keep up.

Critical Analysis: A Shifting Landscape​

While Microsoft and security researchers have made impressive progress in curbing the technical enablers of NTLM relay, the attack remains “the bread and butter” of red teams and hostile actors. Key strengths of the attacker model include:

• Simplicity and Speed: Once set up, relays are swift and often invisible to standard monitoring.
• Minimal Requirements: No need to guess or crack passwords. Merely relaying the challenge-response is often enough.
• Universal Attack Surface: Any authenticated user can trigger coercion techniques in most AD environments.

However, several developments warrant cautious optimism:

• SMB and LDAP Defaults Changing: After years of inaction, Microsoft is moving to enforce SMB signing on modern OSes and sealing on LDAP SASL binds. While uneven, this raises the security baseline.
• Tooling and Enlightenment: Security tools like Microsoft Defender for Identity, advanced SIEM detection rules, and breach and attack simulation tools are making relay attacks more conspicuous—provided organizations deploy and properly tune these capabilities.
• Community Disclosure and Research: Highly technical, accessible write-ups and tools (e.g., the “Certified Pre-Owned” white paper) have forced defenders to acknowledge and address misconfigurations, especially around ADCS and certificate templates.

Yet risks remain substantive:

• Pace of Upgrade: Enterprises typically lag years behind newest defaults. As of 2025, the vast majority of domain controllers worldwide still run on versions prior to Server 2025, meaning legacy exposures persist.
• Operational Constraints: Many servers cannot immediately enable signing or channel binding due to compatibility with older software systems.
• Variability Across Environments: Security setting enforcement operates at the server or DC level, not universally across domains, creating patchworks of protected and vulnerable resources.

Empirical Evidence: Not “Solved” Yet​

Anecdotal data from incident response consultancies and penetration testing teams indicate that the prevalence of NTLM relay in real-world attacks has increased in recent years. In multiple high-profile cases, NTLM relay was identified as a key mechanism for attackers to achieve initial privilege escalation from Authenticated Users to Tier Zero assets.
Consultants report that attacks leveraging NTLM relay typically do not require exotic exploits or zero-days. Instead, they exploit well-known, often unpatched defaults—which are present in the majority of client consulting portfolios. This evidence directly contradicts narratives that relay attacks are “solved” or stand as low operational concern.

Defending Against NTLM Relay: What Actually Works?​

Given the landscape, organizations need to be strategic and disciplined about their preventive controls. Effective defense blends technical enforcement with process rigor:

1. Enforce SMB Signing—Where Possible​

• New Deployments: Ensure SMB signing is enforced by default. Windows Server 2025 and Windows 11 now do this.
• Existing Estates: Group Policy can push SMB signing to legacy systems, but always test legacy application compatibility prior to enforcement.
• Exceptions: Where servers/applications cannot support signing, document and isolate them—do not leave as invisible exceptions in risk registers.

2. Mandate LDAP Signing and Channel Binding​

• Enforcement: Activate both settings via GPO on all domain controllers. Do a staged rollout to identify incompatible systems and upgrade or replace as needed.
• Audit: Use regular configuration scanning and policy compliance automation to detect drift and “split-brain” DC implementations.

3. Harden ADCS and Certificate Templates​

• Review Templates: Remove excessive enroll permissions from certificate templates, especially for machine and user templates.
• ADCS Access Control: Limit enrollment and admin privileges to only what is strictly required for operational needs.
• Monitoring: Set up identity governance audits to detect anomalous certificate enrollments.

4. Reduce NTLM Exposure​

• Identify Dependencies: Catalog all systems, applications, and services still relying on NTLM.
• Prioritize Migration: Where possible, migrate these dependencies to Kerberos or other safer authentication mechanisms.
• Plan for Future Enforcement: Monitor Microsoft’s roadmap for NTLM deprecation and collaborate internally to ready the organization for enforced phaseout timelines.

5. Proactive Monitoring and Incident Response​

• Detect Relay Indicators: Utilize network monitoring and advanced detection tools to spot unexpected SMB or LDAP authentications, rapidly shifting source IPs, or “coerced” patterns consistent with Printer Bug or PetitPotam.
• Investigate Anomalous Actions: Correlate shadow credential activity or sudden changes in access patterns to NTLM relay TTPs.

6. Continuous Red Teaming and Risk Assessment​

• Simulate Attacks: Regularly conduct red team operations and breach simulations using contemporary NTLM relay toolkits to reveal residual exposure.
• Prioritize Remediation: Systematically patch the highest-risk servers and services first, especially those bridging trust boundaries between security tiers.

The Path Forward: Proactive, Not Reactionary​

NTLM relay remains a vivid example of an attack vector that is technically “fixable”—but organizational inertia and legacy compatibility preserve it as a live threat. As high-profile breaches and offensive research maintain a spotlight on these attacks, it is imperative for defenders to stay ahead—by continuously hardening configurations, auditing controls, and advocating for secure-by-default product behavior from vendors.
Enterprises who commit to the following principles are best positioned to outpace adversaries exploiting NTLM relay:

• Assume Exposure and Test Proactively: Deliberately hunt for relay paths, even after initial mitigations are implemented.
• Modernize with Purpose: Upgrade domain controllers and servers to editions that enforce safer defaults, closing decade-old doors to attackers.
• Champion Defense-in-Depth: Don’t view signatures, bindings, or even NTLM deprecation as panaceas—stack controls and monitoring for comprehensive protection.

Conclusion​

The resurgence of NTLM relay attacks is not just a technical curiosity, but a pressing threat impacting the core of Active Directory security. With adversaries armed with both coercion and relay techniques, environments still defaulting to insecure configurations are wide open to rapid compromise. Microsoft’s gradual pivot to secure defaults and enforced protections is promising, but until widely adopted, proactive defense is the only real safeguard. Defenders must move beyond view NTLM relay as a “solved problem” and adopt a stance of constant vigilance and improvement. By combining immediate technical mitigations with long-term modernization goals, organizations can finally put NTLM relay threats to rest—before attackers do it for them.

---

Source: Help Net Security NTLM relay attacks are back from the dead - Help Net Security