DFIR Investigation Tip : Investigate the exploits of LLMNR Poisoning and SMB Relay Attacking

#dfir #cti #attack #defense #forensics #intelligence #edr #usecase

DFIR Investigation Tip : Investigate the exploits of LLMNR Poisoning and SMB Relay Attacking In one of the cases, I was involved in conducting an investigation into a unique and sophisticated attack scenario.

The attacker leveraged unconventional methods that added complexity to the investigation. Instead of using macros in an Excel sheet to execute malicious activity, the attacker embedded a link in the last column of the sheet. This link directed to the attacker’s machine and was used to exfiltrate NTLM credentials via an SMB relay attack Here’s how the attack unfolded:

When a user clicked to open the Excel sheet, the attacker captured a valid authentication session and relayed it, successfully gaining access to the system. The question that naturally arises here is "How did the Excel sheet reach the users via email?" The answer lies in the attacker's persistence within the environment. One of the techniques they employed was an LLMNR Poisoning attack.What is LLMNR?LLMNR is a protocol designed to enable hosts on the same local network to perform name resolution for other hosts without the need for a DNS server.

? When a host’s DNS query fails, it broadcasts an LLMNR request across the local network to see if any other host can respond.

? LLMNR is the successor to NetBIOS. NetBIOS (Network Basic Input/Output System) was widely used in earlier versions of Windows networking. When DNS resolution fails, both LLMNR and its predecessor, NBT-NS (NetBIOS Name Service), serve as fallback protocols for local name resolution.Exploiting LLMNR (LLMNR Poisoning)In an LLMNR poisoning attack, a malicious actor listens for LLMNR requests on the network. They respond with their own IP address (or another chosen IP), redirecting the traffic to their controlled machine. This enables attackers to intercept credentials, conduct relay attacks, and gain unauthorized access to systems.Attack Scenario Walkthrough:

1. Setting up the AttackThreat actors typically runs the Responder tool.

2. Triggering the EventWhen an LLMNR event occurred on the network, the attacker maliciously responded, redirecting traffic to their controlled machine. This allowed the attacker to obtain sensitive information, such as:

? The victim’s IP address

? The domain and username of the victim

? The victim’s NTLM password hash

3. Exploiting Weak PasswordsUsing the captured password hashes, the attacker attempted to crack, particularly targeting weak passwords, gaining further access

4. Internal Email Campaign After establishing a foothold, the attacker sent internal emails to users via Exchange Web Services (EWS).

These emails contained the malicious Excel sheet with the embedded link to exfiltrate credentials. This step facilitated privilege escalation and lateral movement within the environment.

Back to SMB relay attacks and how it’s working? With this technique, attackers take advantage of the SMB protocol's built-in trust in network users.The attacker uses scanning to identify available accounts to target, then intercepts and manipulates a valid authentication session. By capturing and relaying authentication traffic, the attacker impersonates the user to gain unauthorized access. And here’s a common SMB relay attack progression:

Step 1: The attacker positions themselves as a "man-in-the-middle" by intercepting SMB traffic between a client and a legitimate server. This can be achieved by network-level techniques such as ARP spoofing or DNS poisoning to reroute SMB traffic through the attacker’s machine.

Step 2: Once in the middle, the attacker intercepts the SMB authentication request sent by the client, which typically includes hashed credentials rather than plaintext passwords.

Step 3: The attacker then relays the intercepted credentials to another target server that also uses SMB for authentication, effectively impersonating the legitimate user. Since the NTLM (New Technology LAN Manager) authentication process does not validate the source of the authentication message, the attacker can bypass this protection mechanism and gain access to the machine.

To effectively investigate LLMNR Poisoning and SMB Relay Attacks, here are the specific sources of logs you should enable and collect during the investigation process:-

1. Windows Event Logs -> Relevant Logs:

? Security Log:

? Event ID 4624: Account logon success.

? Event ID 4625: Account logon failure.

? Event ID 4648: Logon attempted with explicit credentials.

? Event ID 4776: NTLM authentication failure.

? Event ID 5140: Access to a shared file or folder.

? Event ID 4672: Private account login.

? System Log:

? Event ID 6004 indicates potential SMB activity issues.

2. Network Traffic Logs Relevant Indicators:

? LLMNR and NBNS (UDP ports 5355 and 137) queries and suspicious responses.

? SMB traffic over TCP port 445:

? Look for NTLM authentication or signs of relayed credentials

3. DNS Logs ? Source: DNS server logs.

? Relevant Logs:

? DNS query logs showing failed or suspicious resolution attempts for internal hostnames.

4. SMB Logs Windows systems where SMB is in use Relevant Logs:

? SMB-related activity, including access to shared files and folders.

5. Endpoint Logs -> Relevant Logs:

? Processes making LLMNR or SMB requests.

? Lateral movement behavior via NTLM authentication.

6. Sysmon Logs if it is enabled

? Source: Sysmon (System Monitor by Microsoft).

Relevant Logs:?

Network connections (Event ID 3) showing LLMNR or SMB traffic.

? Process creation (Event ID 1) of tools like Responder or Impacket.

? File creation events (Event ID 11) in shared folders.

7. Active Directory Logs

? Source: Domain Controller Event Logs.

? Relevant Logs:

? Event ID 4768: Kerberos authentication ticket requested.

? Event ID 4769: Service ticket granted.? Event ID 4776: NTLM authentication failure.

Happy investigation and hunting??

Reference for further information and to build detection rules (feel free to add more):

1- ?https://www.vaadata.com/blog/understanding-ntlm-authentication-and-ntlm-relay-attacks/

2- https://medium.com/@AnisO./active-directory-attacks-smb-relay-attacks-ea7d8cf9a8f8

3- https://trustedsec.com/blog/a-comprehensive-guide-on-relaying-anno-2022