Potentially Relayed NTLM Authentication - Microsoft Defender for Endpoint

Group by: AccountName, DeviceId, DeviceIdX, DeviceName, DvcIP, LogonId, RemoteDeviceName, RemoteIP
Author: Cyb3rMonk
Source: github.com/Cyb3r-Monk/Threat-Hunting-and-Detection

The below query detects NTLM logons where Network Address in the logon event doesn't match the Workstation Name's IP. This indicates potentially relayed NTLM authentication. It analyzes only the logons with domain accounts having admin privileges.

MITRE ATT&CK coverage

Tactic	Techniques
Credential Access	No specific technique

Event coverage

Provider	Event/ActionType	Title
Security-Auditing	Event ID 4624	An account was successfully logged on.
Defender-DeviceLogonEvents	LogonSuccess	Logon succeeded

Rule body kusto

// Author       : Cyb3rMonk(https://twitter.com/Cyb3rMonk, https://mergene.medium.com)
//
// Link to original post:
// https://posts.bluraven.io/detecting-ntlm-relay-attacks-d92e99e68fb9
//
// Description: This query detects NTLM logons where RemoteIP in the logon event doesn't match the RemoteDevice's IP. 
//				      This indicates potentially relayed NTLM authentication. The query analyzes only the logons with domain accounts having admin privileges. 
//
// Query parameters:
//
let lookup_window = 24h;
let baseline_window = 7d;
// Specify domains in NETBIOS name and full domain format
let domains = dynamic(["PUT YOUR AD DOMAINS HERE!", "contoso","contoso.local"]);
// Exclude authentications coming from  device performing SNAT.
let SNAT_Subnets = datatable (subnet:string)
[
"1.0.0.0/26", "1.1.1.1/32"
];
// Generate list of all known(enrolled) Devices
let all_devices = toscalar (
    DeviceInfo
    | where Timestamp > ago(baseline_window)
    | summarize make_set(DeviceName)
    );
// Create a baseline for known NTLM authentication events.
// This will be used for removing the potential false positives.
let baseline = materialize (
    DeviceLogonEvents
    | where Timestamp > ago(baseline_window) and Timestamp < ago(lookup_window)
    | where ActionType == "LogonSuccess"
    | where LogonType == "Network"
    | where Protocol=="NTLM"
    | where isnotempty(RemoteDeviceName) and isnotempty(RemoteIP)
    | where RemoteIPType <> "Loopback"
    | where AdditionalFields !has '{"IsLocalLogon":true}' // exclude local(interactive) logon
    | where AccountName !has RemoteDeviceName // exclude computer account logon
    | where AccountDomain in~ (domains) // get only the logons with domain accounts
    | distinct DeviceName, RemoteDeviceName, AccountName, RemoteIP
    );
// Generate list of servers (assuming NTLM relay is performed towards servers)
let servers = materialize (
    DeviceInfo
    | where Timestamp > ago(baseline_window)
    | where DeviceType == "Server"
    | summarize make_set(DeviceName)
    );
// Get logons to servers with LocalAdmin rights
DeviceLogonEvents
| where Timestamp > ago(lookup_window)
| where ActionType == "LogonSuccess"
| where DeviceName in (servers)
| where LogonType == "Network"
| where IsLocalAdmin == 1
| project TimestampX=Timestamp, DeviceIdX=DeviceId, DeviceName,AccountName,IsLocalAdmin
// Join LocalAdmin logons with NTLM logons. LocalAdmin logon events don't have logonID, Protocol, etc.,
// use time window join. 
| join kind=inner 
    (
    DeviceLogonEvents
    | where Timestamp > ago(lookup_window)
    | where ActionType == "LogonSuccess"
    | where LogonType == "Network"
    | where Protocol=="NTLM"
    | where isnotempty(RemoteDeviceName) and isnotempty(RemoteIP)
    | where RemoteIPType <> "Loopback"
    | where AdditionalFields !has '{"IsLocalLogon":true}' // exclude local(interactive) logon
    | where AccountName !has RemoteDeviceName // exclude computer account logon
    | where AccountDomain in~ (domains) // get only the logons with domain accounts
    )
    on $left.DeviceIdX==$right.DeviceId, AccountName 
| where abs(datetime_diff('second', Timestamp, TimestampX)) < 15 // time window condition
| summarize arg_max(Timestamp,*) by DeviceId, LogonId // get last event for each logonID
// Filter logons that are not in the baseline(unknown/new logons)
| join kind=leftanti baseline on DeviceName, RemoteDeviceName, AccountName, RemoteIP
// Filter events where there is no corresponding IP address for the RemoteDeviceName
| join kind=leftanti 
    (
    DeviceNetworkInfo
    | where Timestamp > ago(lookup_window)
    | mv-expand todynamic(IPAddresses)
    | extend DvcIP = tostring(IPAddresses.IPAddress)
    | summarize arg_max(Timestamp,*) by DeviceId, DvcIP // get last report event for each IP
    | project DeviceId, DeviceName=replace(@'([A-z0-9-]+)\.?.*',@'\1',DeviceName), ReportTimestamp = Timestamp, DvcIP, IPAddresses
    )
    on $left.RemoteDeviceName==$right.DeviceName, $left.RemoteIP==$right.DvcIP // filter condition
// Get last logon event (remove duplication)
| summarize arg_max(Timestamp,*), count() by DeviceId, AccountName, RemoteDeviceName, RemoteIP
// Get only the logons originated from a known(enrolled) device.
| where all_devices has RemoteDeviceName
// Exclude SNAT subnets
// ipv4 lookup doesn't have notmatch condition. 
| evaluate ipv4_lookup(SNAT_Subnets, RemoteIP, subnet, return_unmatched = true)
| where isempty(subnet) // remove results that matched a SNAT subnet.
| extend Origin = RemoteDeviceName, RelayingDeviceIP = RemoteIP, Target = DeviceName
| project-away TimestampX, DeviceIdX, AccountName1, DeviceName1
| project-reorder Timestamp, Origin, RelayingDeviceIP, Target, AccountName

Stages and Predicates

Parameters

let lookup_window = 24h;
let baseline_window = 7d;
let domains = dynamic(["PUT YOUR AD DOMAINS HERE!", "contoso","contoso.local"]);

Let binding: `SNAT_Subnets`

let SNAT_Subnets = datatable (subnet:string)
[
"1.0.0.0/26", "1.1.1.1/32"
];

Let binding: `all_devices`

let all_devices = toscalar (
    DeviceInfo
    | where Timestamp > ago(baseline_window)
    | summarize make_set(DeviceName)
    );

Derived from baseline_window.

Let binding: `baseline`

let baseline = materialize (
    DeviceLogonEvents
    | where Timestamp > ago(baseline_window) and Timestamp < ago(lookup_window)
    | where ActionType == "LogonSuccess"
    | where LogonType == "Network"
    | where Protocol=="NTLM"
    | where isnotempty(RemoteDeviceName) and isnotempty(RemoteIP)
    | where RemoteIPType <> "Loopback"
    | where AdditionalFields !has '{"IsLocalLogon":true}'
    | where AccountName !has RemoteDeviceName
    | where AccountDomain in~ (domains)
    | distinct DeviceName, RemoteDeviceName, AccountName, RemoteIP
    );

Derived from lookup_window, baseline_window, domains.

Let binding: `servers`

let servers = materialize (
    DeviceInfo
    | where Timestamp > ago(baseline_window)
    | where DeviceType == "Server"
    | summarize make_set(DeviceName)
    );

Derived from baseline_window.

Stage 1: `source`

DeviceLogonEvents

Stage 2: `where`

| where Timestamp > ago(lookup_window)

Stage 3: `where`

| where ActionType == "LogonSuccess"

Stage 4: `where`

| where DeviceName in (servers)

References servers (defined above).

Stage 5: `where`

| where LogonType == "Network"

Stage 6: `where`

| where IsLocalAdmin == 1

Stage 7: `project`

| project TimestampX=Timestamp, DeviceIdX=DeviceId, DeviceName,AccountName,IsLocalAdmin

Stage 8: `join`

| join kind=inner 
    (
    DeviceLogonEvents
    | where Timestamp > ago(lookup_window)
    | where ActionType == "LogonSuccess"
    | where LogonType == "Network"
    | where Protocol=="NTLM"
    | where isnotempty(RemoteDeviceName) and isnotempty(RemoteIP)
    | where RemoteIPType <> "Loopback"
    | where AdditionalFields !has '{"IsLocalLogon":true}'
    | where AccountName !has RemoteDeviceName
    | where AccountDomain in~ (domains)
    )
    on $left.DeviceIdX==$right.DeviceId, AccountName

Stage 9: `where`

| where abs(datetime_diff('second', Timestamp, TimestampX)) < 15

Stage 10: `summarize`

| summarize arg_max(Timestamp,*) by DeviceId, LogonId

Stage 11: `join` (negated)

| join kind=leftanti baseline on DeviceName, RemoteDeviceName, AccountName, RemoteIP

Stage 12: `join` (negated)

| join kind=leftanti 
    (
    DeviceNetworkInfo
    | where Timestamp > ago(lookup_window)
    | mv-expand todynamic(IPAddresses)
    | extend DvcIP = tostring(IPAddresses.IPAddress)
    | summarize arg_max(Timestamp,*) by DeviceId, DvcIP
    | project DeviceId, DeviceName=replace(@'([A-z0-9-]+)\.?.*',@'\1',DeviceName), ReportTimestamp = Timestamp, DvcIP, IPAddresses
    )
    on $left.RemoteDeviceName==$right.DeviceName, $left.RemoteIP==$right.DvcIP

Stage 13: `summarize`

| summarize arg_max(Timestamp,*), count() by DeviceId, AccountName, RemoteDeviceName, RemoteIP

Stage 14: `where`

| where all_devices has RemoteDeviceName

References all_devices (defined above).

Stage 15: `evaluate`

| evaluate ipv4_lookup(SNAT_Subnets, RemoteIP, subnet, return_unmatched = true)

Stage 16: `where`

| where isempty(subnet)

Stage 17: `extend`

| extend Origin = RemoteDeviceName, RelayingDeviceIP = RemoteIP, Target = DeviceName

Stage 18: `project-away`

| project-away TimestampX, DeviceIdX, AccountName1, DeviceName1

Stage 19: `project-reorder`

| project-reorder Timestamp, Origin, RelayingDeviceIP, Target, AccountName

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

Field	Kind	Excluded values
`AccountName`	match	`RemoteDeviceName`
`AdditionalFields`	match	`{"IsLocalLogon":true}`
`AccountDomain`	in	`PUT YOUR AD DOMAINS HERE!`, `contoso`, `contoso.local`
`ActionType`	eq	`LogonSuccess`
`LogonType`	eq	`Network`
`Protocol`	eq	`NTLM`
`RemoteDeviceName`	is_not_null	(no value, null check)
`RemoteIP`	is_not_null	(no value, null check)
`RemoteIPType`	ne	`Loopback`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`AccountDomain`	in	`PUT YOUR AD DOMAINS HERE!` `contoso` `contoso.local`
`AccountName`	match	`RemoteDeviceName` transforms: `term`
`ActionType`	eq	`LogonSuccess` transforms: `cased` corpus 5 (kusto 5)
`AdditionalFields`	match	`{"IsLocalLogon":true}` transforms: `term`
`DeviceName`	in	`servers` transforms: `cased`
`IsLocalAdmin`	eq	`1` transforms: `cased`
`LogonType`	eq	`Network` transforms: `cased` corpus 40 (splunk 13, sigma 12, elastic 9, kusto 6)
`Protocol`	eq	`NTLM` transforms: `cased` corpus 2 (kusto 2)
`RemoteDeviceName`	is_not_null	(no value, null check)
`RemoteIP`	is_not_null	(no value, null check)
`RemoteIPType`	ne	`Loopback` transforms: `cased` corpus 2 (kusto 2)
`all_devices`	match	`RemoteDeviceName` transforms: `term`
`subnet`	is_null	(no value, null check)

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

Field	Source
`AccountName`	`summarize`
`DeviceId`	`summarize`
`RemoteDeviceName`	`summarize`
`RemoteIP`	`summarize`
`Origin`	`extend`
`RelayingDeviceIP`	`extend`
`Target`	`extend`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Potentially Relayed NTLM Authentication - Microsoft Defender for Endpoint

MITRE ATT&CK coverage

Event coverage

Rule body kusto

Stages and Predicates

Parameters

Let binding: `SNAT_Subnets`

Let binding: `all_devices`

Let binding: `baseline`

Let binding: `servers`

Stage 1: `source`

Stage 2: `where`

Stage 3: `where`

Stage 4: `where`

Stage 5: `where`

Stage 6: `where`

Stage 7: `project`

Stage 8: `join`

Stage 9: `where`

Stage 10: `summarize`

Stage 11: `join` (negated)

Stage 12: `join` (negated)

Stage 13: `summarize`

Stage 14: `where`

Stage 15: `evaluate`

Stage 16: `where`

Stage 17: `extend`

Stage 18: `project-away`

Stage 19: `project-reorder`

Exclusions

Indicators

Output fields

Keyboard shortcuts

Search operators

Potentially Relayed NTLM Authentication - Microsoft Defender for Endpoint

MITRE ATT&CK coverage

Event coverage

Rule body kusto

Stages and Predicates

Parameters

Let binding: SNAT_Subnets

Let binding: all_devices

Let binding: baseline

Let binding: servers

Stage 1: source

Stage 2: where

Stage 3: where

Stage 4: where

Stage 5: where

Stage 6: where

Stage 7: project

Stage 8: join

Stage 9: where

Stage 10: summarize

Stage 11: join (negated)

Stage 12: join (negated)

Stage 13: summarize

Stage 14: where

Stage 15: evaluate

Stage 16: where

Stage 17: extend

Stage 18: project-away

Stage 19: project-reorder

Exclusions

Indicators

Output fields

Let binding: `SNAT_Subnets`

Let binding: `all_devices`

Let binding: `baseline`

Let binding: `servers`

Stage 1: `source`

Stage 2: `where`

Stage 3: `where`

Stage 4: `where`

Stage 5: `where`

Stage 6: `where`

Stage 7: `project`

Stage 8: `join`

Stage 9: `where`

Stage 10: `summarize`

Stage 11: `join` (negated)

Stage 12: `join` (negated)

Stage 13: `summarize`

Stage 14: `where`

Stage 15: `evaluate`

Stage 16: `where`

Stage 17: `extend`

Stage 18: `project-away`

Stage 19: `project-reorder`