Strengthening Defenses Against Expanded SMB NTLM Relay Attacks
The release of the Metasploit Wrap-Up for March 2026 highlights a significant evolution in offensive tooling that directly impacts the defensive posture of organizations worldwide. While Metasploit is a staple for penetration testers, its improvements often signal a lower barrier to entry for malicious actors. This week’s update specifically enhances the SMB NTLM relay server, a mechanism frequently used in Active Directory attacks to move laterally and escalate privileges.
For defenders, this update means that the "reliability" of NTLM relay attacks has increased. Previously, successful relay attacks depended on specific client behaviors regarding SMB error codes (STATUS_NETWORK_SESSION_EXPIRED). The latest update removes this friction, allowing the relay of Net-NTLM messages to a single target immediately. This broadens the compatibility of the attack to include a wider range of SMB clients, not just Windows net use. Consequently, organizations can no longer rely on the assumption that specific client quirks will protect them from relay attacks.
Technical Analysis
The NTLM Relay attack is a credential-theft technique where an attacker intercepts a challenge-response authentication handshake (NTLM) and relays it to a target server to gain access. The SMB protocol is a common vector for this attack.
The Change:
Prior to the March 2026 release, Metasploit’s SMB NTLM relay server required the connecting client to handle the STATUS_NETWORK_SESSION_EXPIRED error code in a specific way to allow a single authentication attempt to be relayed to multiple targets. This behavior was largely specific to Windows’ native net use command.
The Impact: The updated module alters its strategy when a single target is specified. It now forwards Net-NTLM messages immediately upon receipt. This behavioral change means the attack is now compatible with a much broader spectrum of SMB clients and libraries. The technical complexity for the attacker is reduced, increasing the likelihood of successful exploitation in environments where NTLM is still enabled and SMB signing is not enforced.
Affected Systems:
- Windows Domain Controllers: Primary targets for relay attacks to gain Domain Admin rights.
- Servers with SMB Enabled: Any server supporting NTLM authentication over SMB (ports 445/139).
- Client Systems: Endpoints initiating NTLM authentication requests.
Severity: High. While this is a tooling update rather than a software vulnerability, it validates and facilitates a known critical attack vector (T1557.001) against misconfigured infrastructure.
Defensive Monitoring
To protect your organization against enhanced NTLM relay capabilities, security operations teams must focus on detecting NTLM usage, specifically over SMB, and identifying authentication anomalies.
SIGMA Rules
These SIGMA rules are designed to detect suspicious NTLM authentication patterns indicative of potential relay attacks.
---
title: Potential NTLM Relay Attack via SMB
id: 8f7e26d4-9c4d-4b8f-9c1a-3b4e5d6f7a8b
status: stable
description: Detects potential NTLM relay attacks by identifying NTLM authentication (Logon Type 3) over the network, specifically looking for anomalies in source and target relationships.
references:
- https://attack.mitre.org/techniques/T1557/001/
- https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-03-27-2026
author: Security Arsenal
date: 2026-03-28
tags:
- attack.credential_access
- attack.t1557.001
logsource:
product: windows
service: security
detection:
selection:
EventID: 4624
LogonType: 3
AuthenticationPackageName: NTLM
filter:
TargetUserName|contains:
- 'DWM-'
- 'UMFD-'
- 'LOCAL SERVICE'
- 'SYSTEM'
condition: selection and not filter
falsepositives:
- Legacy application authentication
- Administrative activity using NTLM
level: medium
---
title: SMB Session Setup Anomalies
id: 3d8e9f2a-1b4c-4d6e-9f1a-2b3c4d5e6f7a
status: experimental
description: Detects rapid SMB session failures or unusual NTLM session setups which may indicate an automated relay tool attempting to connect.
references:
- https://attack.mitre.org/techniques/T1557/001/
author: Security Arsenal
date: 2026-03-28
tags:
- attack.initial_access
- attack.t1566.002
logsource:
product: windows
service: security
detection:
selection:
EventID: 4624
LogonType: 3
AuthenticationPackageName: NTLM
Status|contains: '0xC000006D'
timeframe: 2m
condition: selection | count() > 5
falsepositives:
- Misconfigured service accounts
- Application failures during maintenance windows
level: high
KQL Queries
Use these queries in Microsoft Sentinel or Defender for Identity to verify patch status and hunt for relay activity.
// Detect NTLM Authentication over SMB
SecurityEvent
| where EventID == 4624
| where LogonType == 3
| where AuthenticationPackageName == "NTLM"
| project TimeGenerated, Computer, TargetUserName, LogonType, IpAddress, WorkstationName, SubjectUserName
| summarize count() by IpAddress, TargetUserName, bin(TimeGenerated, 5m)
| where count_ > 3
| order by count_ desc
// Hunt for relay attacks to privileged accounts
IdentityLogonEvents
| where LogonType == "RemoteInteractive"
| where Protocol == "SMB"
| where AuthenticationMethod contains "NTLM"
| extend IsPrivileged = iff(TargetUserName in ("Admin", "Administrator", "root"), "Yes", "No")
| where IsPrivileged == "Yes"
Velociraptor VQL
Hunt for endpoint configurations that allow NTLM relay or evidence of NTLM usage.
-- Hunt for SMB Server Configuration allowing unsigned packets
SELECT
Fqdn as Hostname,
RequireSecuritySignature,
EnableSecuritySignature
FROM registry globs=
"{HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters}",
"{HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters}"
WHERE
NOT RequireSecuritySignature OR RequireSecuritySignature = 0
-- Monitor for NTLM authentication processes
SELECT
Timestamp,
Principal.SID,
Process.Name,
Process.CommandLine,
Network.DestinationAddress,
Network.DestinationPort
FROM source="windows.evtx"
WHERE
EventID = 4624
AND LogonType = '3'
AND AuthenticationPackageName = 'NTLM'
AND Network.DestinationPort = 445
Remediation Scripts
PowerShell: Verify and Enforce SMB Signing.
# Check SMB Server Configuration
Get-SmbServerConfiguration | Select-Object RequireSecuritySignature, EnableSecuritySignature
# Enforce SMB Signing (Requires Admin Rights)
Set-SmbServerConfiguration -RequireSecuritySignature $true -Force
Set-SmbServerConfiguration -EnableSecuritySignature $true -Force
# Check LanmanWorkstation settings (Client)
Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" | Select-Object RequireSecuritySignature, EnableSecuritySignature
Remediation
To mitigate the risks posed by the enhanced Metasploit capabilities and NTLM relay attacks in general, Security Arsenal recommends the following actions:
- Enable SMB Signing: Ensure all Windows devices have "Microsoft network server: Digitally sign communications (always)" enabled via Group Policy. This prevents the relay of NTLM messages over SMB.
- Disable NTLM: Accelerate the transition to Kerberos. Configure Group Policy under
Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Optionsto:- Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers = Deny all.
- Network security: Restrict NTLM: Incoming NTLM traffic = Deny all accounts (or use "Deny all domain accounts" if testing).
- Enable Extended Protection for Authentication (EPA): Ensure EPA is enabled on IIS, LDAP, and SMB services to provide channel binding and prevent relay.
- Review and Patch: While this specific news is a tool update, ensure all systems are patched against CVEs that facilitate relay (e.g., CVE-2019-1040 / Deadpool).
- Network Segmentation: Limit SMB (TCP 445) traffic between sensitive segments and prevent lateral movement.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.