Does this skill require specific log settings?

Yes, Windows Security audit logging must be enabled for Event IDs 4624, 4625, and 5145 to provide the necessary data for analysis.

What specific Windows events does this skill analyze?

The skill primarily targets Event ID 4624 (Successful Logon) for network logons (Type 3) and Event ID 5145 for tracking network share and named pipe access.

Can it help with MITRE ATT&CK mapping?

Yes, this skill is specifically designed to detect techniques mapped to MITRE ATT&CK T1557.001 (Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay).

How does it identify tools like Responder?

It identifies these tools by flagging mismatches between the reported WorkstationName and the source IP address, which is a common signature of relay tools like Responder and ntlmrelayx.

Hunting for NTLM Relay Attacks

Name: Hunting for NTLM Relay Attacks
Author: mukul975

bymukul975

•

4,121

•

Security & Testing

Detects and analyzes NTLM relay attacks by monitoring Windows Event Logs, identifying authentication anomalies, and auditing SMB signing configurations.

This skill provides specialized capabilities for threat hunters and SOC analysts to identify NTLM relay activity within Active Directory environments. It focuses on analyzing Windows Event 4624 (Logon Type 3) for NTLMSSP authentication, flagging IP-to-hostname mismatches, and detecting suspicious patterns like machine account relay or rapid multi-host authentication. By auditing SMB signing configurations and monitoring named pipe access, it helps security professionals validate monitoring coverage and investigate potential credential access techniques like MITRE ATT&CK T1557.001.

Key Features

01Identifies rapid authentication patterns from single accounts across multiple hosts

02Audits SMB signing status to identify vulnerable hosts in the network

034,121 GitHub stars

04Detects IP-address-to-WorkstationName mismatches indicative of relay tools

05Monitors suspicious named pipe access including Spoolss and LSARPC

06Analyzes Windows Event ID 4624 for NTLMSSP authentication anomalies

Use Cases

01Auditing domain-wide SMB signing compliance to harden Active Directory security

02Investigating suspicious Windows logon events during active incident response

03Conducting proactive threat hunting for NTLM relay and LLMNR/NBT-NS poisoning

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add mukul975/anthropic-cybersecurity-skills hunting-for-ntlm-relay-attacks

For use in Claude.ai and ChatGPT

Key Features

01Identifies rapid authentication patterns from single accounts across multiple hosts

02Audits SMB signing status to identify vulnerable hosts in the network

034,121 GitHub stars

04Detects IP-address-to-WorkstationName mismatches indicative of relay tools

05Monitors suspicious named pipe access including Spoolss and LSARPC

06Analyzes Windows Event ID 4624 for NTLMSSP authentication anomalies

Use Cases

01Auditing domain-wide SMB signing compliance to harden Active Directory security

02Investigating suspicious Windows logon events during active incident response

03Conducting proactive threat hunting for NTLM relay and LLMNR/NBT-NS poisoning

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add mukul975/anthropic-cybersecurity-skills hunting-for-ntlm-relay-attacks

For use in Claude.ai and ChatGPT