[WARNING] This blog post is created when Microsoft Windows still came in a physical box with multiple installation disks.
Microsoft Defender for Identity can identify Lateral Movement paths. Lateral Movement Paths allow malicious actors to hop from one device to another or from account to account. For Microsoft Defender for Identity to identify these Lateral Movement Paths, it needs to know which user is a local administrator on domain member servers. Microsoft Defender for Identity uses the Security Account Manager Remote (SAM-R) protocol to enumerate the users and groups on member servers. I discovered that it is possible to perform an NTLM-Relay attack and list any member server in the domain for its users and groups.
Introduction
Before I explain the NTLM-Relay attack, I want to explain what SAM-R is and why an NTLM-Relay attack works in the first place.
The Security Account Manager (SAM) database is a Windows file containing the local users and their passwords and is used to authenticate local users locally and remotely. The location of the SAM file is in the following folder: %SystemRoot%/system32/config/.
Microsoft created the SAM-R Remote Procedure Call (RPC) protocol, allowing administrators and users to manage users, groups, and computers. The SAM-R protocol is built on top of the Server Message Block (SMB) protocol. The SMB share IPC$ (Inter-Process Communication) is a share providing named pipes used for communication between a client and a server. By default, only administrators are allowed to access the SAM-R named pipe.
Lateral Movement Paths
For Microsoft Defender for Identity to identify Lateral Movement Paths, it uses the Directory Service Account to access the SAM-R named pipe on member servers and enumerate its users and groups. Since only administrators can access the named pipe, you need to configure a policy for the Directory Service Account to get remote access to the named pipe.
NTLM Relay Attack
Since the IPC$ SMB share provides the named pipe, authentication occurs over SMB. So, once Microsoft Defender for Identity enumerates a member server that a malicious actor compromises, the malicious actor asks Microsoft Defender for Identity to authenticate using NTLM and relays the authentication to another member server. Since all member servers are configured with the Directory Service Account to access the SAM-R named pipe, a malicious actor queries any server in the domain for its users and groups.
Here is an example of an NTLM relay attack querying another server for its local administrators.
Mitigation
Turning off NTLM authentication is the best solution, but enabling SMB signing also mitigates the risks of an NTLM relay attack. If you do not care about the lateral movement paths, you can always choose not to enable the lateral movement path in Microsoft Defender for Identity.
As you can see in the screenshot above, the authentication first takes place using Kerberos. I still wonder if performing a Kerberos relay attack and getting a valid Ticket Granting Ticket is possible, but that is for my next blog post.
Conclusion
For all I know, the policy to grant access for the Directory Service Account to access the SAM remotely only allows a malicious actor to enumerate its local users and groups on a member server. Although it is valuable information for a malicious actor, I would not worry too much about the NTLM-Relay attack. This blog post aims to identify the risks when configuring lateral movement paths in Microsoft Defender for Identity so you can make the best decision when configuring the product.
Microsoft Security Blog 