Back to Intelligence

Metasploit June 2026: Defending Against NTLM Relay Local-to-Domain PrivEsc and Paperclip AI RCE

SA
Security Arsenal Team
June 19, 2026
8 min read

This week's Metasploit update (June 19, 2026) introduces several high-impact modules that lower the barrier to entry for sophisticated attack chains. As security practitioners, we need to move beyond awareness and immediately address the specific capabilities these modules grant adversaries.

The release highlights two critical areas of concern:

  1. Paperclip AI RCE: A full, unauthenticated code execution exploit chain against a specific AI platform.
  2. Local NTLM Relay to Domain Admin: The windows/local/ntlm_relay_2_self module, which automates a complex local-to-domain privilege escalation using coerced NTLM authentication and Shadow Credentials.

Additionally, a new VS Code extension persistence technique has been added, signaling a continued trend of targeting developer environments for long-term access.

Technical Analysis

1. Paperclip AI Critical Code Execution

While no CVE was explicitly published in the summary, Rapid7 has released a module exploiting a critical unauthenticated code execution flaw chain in Paperclip AI.

  • Impact: This allows an attacker to execute arbitrary code on the Paperclip AI server without valid credentials. Given the nature of AI platforms, this often implies access to sensitive datasets, model weights, or integration pipelines.
  • Attack Vector: The module exploits a chain of vulnerabilities to achieve RCE. If your organization uses Paperclip AI, assume the scanning surface has just increased significantly with the release of this automated exploit.

2. NTLM Relay: Local to Domain Escalation (windows/local/ntlm_relay_2_self)

This is the most concerning module for enterprise defenders. It automates a privilege escalation path that traditionally required manual chaining of multiple tools.

  • The Attack Chain:

    1. Local Access: The attacker already has low-privileged access on a domain-joined Windows machine.
    2. Coercion: The module uses the OpenEncryptedFileRaw API (via WebDAV) to coerce the local Machine Account (DC$ or WORKSTATION$) to authenticate to a listener controlled by the attacker.
    3. Relay: The NTLM authentication of the Machine Account is relayed to the Domain Controller's (DC) LDAP service.
    4. Privilege Escalation (Shadow Credentials): Using the relayed LDAP session, the module writes a new key to the msDS-KeyCredentialLink attribute of the attacker-controlled user (or the machine account itself). This is known as the Shadow Credentials attack.
    5. Ticket Granting: The attacker obtains a Kerberos service ticket via S4U2Proxy (Self) using the newly registered key, effectively impersonating a high-privilege context (like Administrator).
    6. Lateral Movement: Finally, the module uses PsExec to connect back to the local machine with SYSTEM level privileges, completing the local-to-domain circle.

  • Why it matters: This bypasses the need for standard credential dumping (which might be blocked by EDR) or exploiting a vulnerable service on the DC. It relies on the ubiquitous trust between domain-joined machines and the DC.

3. VS Code Persistence

A new module demonstrates a persistence technique utilizing VS Code extensions. Adversaries can install malicious extensions that execute code whenever the editor is opened, providing a stealthy foothold in developer environments.

Detection & Response

SIGMA Rules

YAML
---
title: Potential Shadow Credentials Modification via LDAP
id: 8a1b2c3d-4e5f-6789-0a1b-2c3d4e5f6789
status: experimental
description: Detects modifications to the msDS-KeyCredentialLink attribute, which is used in Shadow Credential attacks to forge certificates for authentication.
references:
  - https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-19-06-2026
author: Security Arsenal
date: 2026/06/20
tags:
  - attack.credential_access
  - attack.t1558.001
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID: 5136
    AttributeName|contains: 'msDS-KeyCredentialLink'
  filter:
    SubjectUserName|endswith: '$' # Ignore machine account changes if noisy, but investigate initially
falsepositives:
  - Legitimate administration of Windows Hello for Business or key trust deployments
level: high
---
title: VS Code Extension Installation Persistence
id: 9b2c3d4e-5f6a-7890-1b2c-3d4e5f67890a
status: experimental
description: Detects the installation of Visual Studio Code extensions, which can be used for persistence by adversaries.
references:
  - https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-19-06-2026
author: Security Arsenal
date: 2026/06/20
tags:
  - attack.persistence
  - attack.t1547.012
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\code.exe'
    CommandLine|contains: '--install-extension'
falsepositives:
  - Developers installing legitimate extensions
level: low
---
title: Kerberos S4U2Proxy Service Ticket Request
id: 0c1d2e3f-4g5h-6789-2c3d-4e5f67890abc
status: experimental
description: Detects S4U2Proxy (constrained delegation) ticket requests often seen in exploitation of Shadow Credentials or delegation abuse.
references:
  - https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-19-06-2026
author: Security Arsenal
date: 2026/06/20
tags:
  - attack.defense_evasion
  - attack.t1558.003
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID: 4769
    TicketOptions|contains: '0x40810000' # Flags often associated with S4U requests
  condition: selection
falsepositives:
  - Legitimate application usage of constrained delegation
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Shadow Credentials modification on Computer Objects
SecurityEvent
| where EventID == 5136
| where AttributeName contains "msDS-KeyCredentialLink"
| project TimeGenerated, SubjectUserName, SubjectLogonId, ObjectDN, OperationType, AttributeValue
| where ObjectDN contains "CN=Computers" or OperationValue == "%%14674" // Value depends on AD version, focusing on attribute write
| extend AccountCustomEntity = SubjectUserName

// Hunt for S4U2Proxy Ticket Requests (Potential Privilege Escalation)
SecurityEvent
| where EventID == 4769
| extend TicketEncryptionType = case(
  TicketEncryptionType == "0x17", "AES128",
  TicketEncryptionType == "0x18", "AES256",
  TicketEncryptionType)
| where TicketOptions has "forwardable" (0x40000000) and TicketOptions has "renewable" (0x00800000)
| summarize count() by TargetUserName, ServiceName, AccountCustomEntity = SubjectUserName
| where count_ > 10 // Threshold for anomaly detection

Velociraptor VQL

VQL — Velociraptor
-- Hunt for VS Code Extensions in user directories
SELECT FullPath, Mtime, Size, Username
FROM glob(globs='*/.vscode/extensions/*/package.')
WHERE
  -- Look for recently modified extensions indicating suspicious install
  Mtime > now() - 7d
  -- Flag extensions not published by Microsoft or known vetted vendors (heuristic)
  AND NOT FullName =~ "Microsoft\\.vscode\\.*" 

-- Hunt for Metasploit or uncommon process execution patterns
SELECT Name, Pid, Exe, CommandLine, Username
FROM pslist()
WHERE Name =~ "msfconsole" 
   OR CommandLine =~ "--install-extension"

Remediation Script (PowerShell)

PowerShell
<#
    .SYNOPSIS
    Harden Windows against NTLM Relay and Audit Shadow Credentials.
    
    .DESCRIPTION
    This script checks LDAP signing enforcement (mitigating NTLM Relay to LDAP)
    and audits Active Directory for the presence of Shadow Credentials.
#>

Write-Host "[+] Checking LDAP Server Integrity Channel Binding state..."

# Check LDAP Channel Binding State (Must be 2 for enforced)
$ldapPath = "HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters"
$ldapBinding = (Get-ItemProperty -Path $ldapPath -ErrorAction SilentlyContinue).LdapEnforceChannelBinding

if ($ldapBinding -eq 2) {
    Write-Host "[+] LDAP Channel Binding is ENFORCED. Good mitigation against NTLM Relay." -ForegroundColor Green
} else {
    Write-Host "[!] LDAP Channel Binding is NOT enforced (Current Value: $ldapBinding)." -ForegroundColor Red
    Write-Host "[Recommendation] Set 'LdapEnforceChannelBinding' to 2 on Domain Controllers."
}

# Check LDAP Signing
$ldapSigningPath = "HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters"
$ldapSigning = (Get-ItemProperty -Path $ldapSigningPath -ErrorAction SilentlyContinue).LDAPServerIntegrity
if ($ldapSigning -eq 2) {
    Write-Host "[+] LDAP Signing is REQUIRED." -ForegroundColor Green
} else {
    Write-Host "[!] LDAP Signing is not required (Current Value: $ldapSigning)." -ForegroundColor Red
}

Write-Host ""
Write-Host "[+] Auditing Active Directory for Shadow Credentials..."

# Attempt to import Active Directory module
if (Get-Module -ListAvailable -Name ActiveDirectory) {
    Import-Module ActiveDirectory
    
    # Find objects with msDS-KeyCredentialLink populated
    try {
        $targetedObjects = Get-ADObject -LDAPFilter "(msDS-KeyCredentialLink=*)" -Properties msDS-KeyCredentialLink, Name, ObjectClass
        
        if ($targetedObjects) {
            Write-Host "[!] Found objects with Shadow Credentials configured:" -ForegroundColor Yellow
            foreach ($obj in $targetedObjects) {
                Write-Host "  - $($obj.Name) ($($obj.ObjectClass))"
            }
        } else {
            Write-Host "[+] No Shadow Credentials currently detected in AD." -ForegroundColor Green
        }
    } catch {
        Write-Host "[!] Error querying AD: $_" -ForegroundColor Red
    }
} else {
    Write-Host "[!] Active Directory module not found. Skipping AD audit." -ForegroundColor Yellow
}

Write-Host ""
Write-Host "[+] Scan Complete."

Remediation

1. Mitigate NTLM Relay to LDAP

The ntlm_relay_2_self module relies on relaying authentication to LDAP. To break this chain:

  • Enforce LDAP Signing and Channel Binding: Ensure all Domain Controllers are configured to require LDAP Signing and LDAP Channel Binding. This forces the session encryption that NTLM Relay typically cannot satisfy, causing the relay attempt to fail.
    • Registry Key: HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
    • Values: Set LdapEnforceChannelBinding to 2 and LDAPServerIntegrity to 2.
  • Disable NTLM: aggressively phase out NTLM authentication in favor of Kerberos.

2. Audit and Restrict Shadow Credentials

  • Audit: Use the provided script or a SIEM query to identify any objects that currently have msDS-KeyCredentialLink populated. This attribute should be empty unless you are specifically using Windows Hello for Business or similar key-trust features.
  • ACL Hardening: Restrict who can write to msDS-KeyCredentialLink on high-privilege objects (Domain Admins, Enterprise Admins). Generally, only privileged admins should have WRITE_PROPERTY access to this attribute.

3. Patch and Isolate Paperclip AI

  • Patch Immediately: Contact Paperclip AI or review their advisories for the specific patch addressing the critical RCE chain.
  • Network Segmentation: If patching is not immediately possible, isolate Paperclip AI instances from the internal network and the internet, restricting access strictly to necessary admin subnets.

4. Monitor VS Code Usage

  • Policy: Implement Group Policy or configuration management to restrict VS Code extension installations to a pre-approved list.
  • Detection: Deploy the Sigma rules above to alert on new extension installations.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

cvezero-daypatch-tuesdayexploitvulnerability-disclosuremetasploitntlm-relaypaperclip-ai

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action