Run any Skill in Manus with one click

hunting-for-ntlm-relay-attacks

Detect NTLM relay attacks by analyzing Windows Event 4624 logon type 3 with NTLMSSP authentication, identifying IP-to-hostname mismatches, Responder traffic signatures, SMB signing status, and suspicious authentication patterns across the domain.

Run Skill in Manus

Overview

Install command

npx skills add https://github.com/mukul975/Anthropic-Cybersecurity-Skills --skill hunting-for-ntlm-relay-attacks

Copy and paste this command into Claude Code to install the skill

Source

mukul975/Anthropic-Cybersecurity-Skills

Stars13,851

Forks1,622

UpdatedJune 1, 2026 at 10:13

File Explorer

4 files

SKILL.md

readonly

name	hunting-for-ntlm-relay-attacks
description	Detect NTLM relay attacks by analyzing Windows Event 4624 logon type 3 with NTLMSSP authentication, identifying IP-to-hostname mismatches, Responder traffic signatures, SMB signing status, and suspicious authentication patterns across the domain.
domain	cybersecurity
subdomain	threat-hunting
tags	["NTLM-relay","Windows-events","Event-4624","NTLMSSP","Responder","SMB-signing","credential-access","T1557.001","Active-Directory"]
version	1.0
author	mahipal
license	Apache-2.0
d3fend_techniques	["Application Protocol Command Analysis","Network Isolation","Network Traffic Analysis","Client-server Payload Profiling","Network Traffic Community Deviation"]
nist_csf	["DE.CM-01","DE.AE-02","DE.AE-07","ID.RA-05"]
mitre_attack	["T1046","T1057","T1082","T1083","T1003"]

Hunting for NTLM Relay Attacks

Overview

NTLM relay attacks intercept and forward NTLM authentication messages to gain unauthorized access to network resources. Attackers use tools like Responder for LLMNR/NBT-NS poisoning and ntlmrelayx for credential relay. This skill detects relay activity by querying Windows Security Event 4624 (successful logon) for type 3 network logons with NTLMSSP authentication, identifying mismatches between WorkstationName and source IpAddress, detecting rapid multi-host authentication from single accounts, and auditing SMB signing configuration across domain hosts.

When to Use

When investigating security incidents that require hunting for ntlm relay attacks
When building detection rules or threat hunting queries for this domain
When SOC analysts need structured procedures for this analysis type
When validating security monitoring coverage for related attack techniques

Prerequisites

Python 3.9+ with Windows Event Log access or exported logs
Windows Security audit logging enabled (Event ID 4624, 4625, 5145)
Network access for SMB signing status checks

Key Detection Areas

IP-hostname mismatch — WorkstationName in Event 4624 does not resolve to the source IpAddress
NTLMSSP authentication — logon events using NTLM instead of Kerberos from domain-joined hosts
Machine account relay — computer accounts (ending in $) authenticating from unexpected IPs
Rapid authentication — single account authenticating to multiple hosts within seconds
Named pipe access — Event 5145 showing access to Spoolss, lsarpc, netlogon, samr pipes
SMB signing disabled — hosts not enforcing SMB signing, enabling relay attacks

Output

JSON report with suspected relay events, IP-hostname correlation anomalies, SMB signing audit results, and MITRE ATT&CK mapping to T1557.001.

More from this repository

same repository

acquiring-disk-image-with-dd-and-dcfldd

mukul975/Anthropic-Cybersecurity-Skills

Create forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through hash verification.

2026-06-0113.9k

analyzing-active-directory-acl-abuse

mukul975/Anthropic-Cybersecurity-Skills

Detect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and WriteOwner abuse paths

2026-06-0113.9k

analyzing-android-malware-with-apktool

mukul975/Anthropic-Cybersecurity-Skills

Perform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection.

2026-06-0113.9k

analyzing-api-gateway-access-logs

mukul975/Anthropic-Cybersecurity-Skills

Parses API Gateway access logs (AWS API Gateway, Kong, Nginx) to detect BOLA/IDOR attacks, rate limit bypass, credential scanning, and injection attempts. Uses pandas for statistical analysis of request patterns and anomaly detection. Use when investigating API abuse or building API-specific threat detection rules.

2026-06-0113.9k

analyzing-apt-group-with-mitre-navigator

mukul975/Anthropic-Cybersecurity-Skills

Analyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap analysis and threat-informed defense.

2026-06-0113.9k

analyzing-azure-activity-logs-for-threats

mukul975/Anthropic-Cybersecurity-Skills

Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query to detect suspicious administrative operations, impossible travel, privilege escalation, and resource modifications. Builds KQL queries for threat hunting in Azure environments. Use when investigating suspicious Azure tenant activity or building cloud SIEM detections.

2026-06-0113.9k

Source

mukul975

mukul975/Anthropic-Cybersecurity-Skills

View GitHub Repository View Creator Repositories

Install command

Download

Run Skill in Manus

Useful forSOC

Information Security AnalystsComputer and Mathematical Occupations15-1212L4

name	hunting-for-ntlm-relay-attacks
description	Detect NTLM relay attacks by analyzing Windows Event 4624 logon type 3 with NTLMSSP authentication, identifying IP-to-hostname mismatches, Responder traffic signatures, SMB signing status, and suspicious authentication patterns across the domain.
domain	cybersecurity
subdomain	threat-hunting
tags	["NTLM-relay","Windows-events","Event-4624","NTLMSSP","Responder","SMB-signing","credential-access","T1557.001","Active-Directory"]
version	1.0
author	mahipal
license	Apache-2.0
d3fend_techniques	["Application Protocol Command Analysis","Network Isolation","Network Traffic Analysis","Client-server Payload Profiling","Network Traffic Community Deviation"]
nist_csf	["DE.CM-01","DE.AE-02","DE.AE-07","ID.RA-05"]
mitre_attack	["T1046","T1057","T1082","T1083","T1003"]

Hunting for NTLM Relay Attacks

Overview

When to Use

When investigating security incidents that require hunting for ntlm relay attacks
When building detection rules or threat hunting queries for this domain
When SOC analysts need structured procedures for this analysis type
When validating security monitoring coverage for related attack techniques

Prerequisites

Python 3.9+ with Windows Event Log access or exported logs
Windows Security audit logging enabled (Event ID 4624, 4625, 5145)
Network access for SMB signing status checks

Key Detection Areas

IP-hostname mismatch — WorkstationName in Event 4624 does not resolve to the source IpAddress
NTLMSSP authentication — logon events using NTLM instead of Kerberos from domain-joined hosts
Machine account relay — computer accounts (ending in $) authenticating from unexpected IPs
Rapid authentication — single account authenticating to multiple hosts within seconds
Named pipe access — Event 5145 showing access to Spoolss, lsarpc, netlogon, samr pipes
SMB signing disabled — hosts not enforcing SMB signing, enabling relay attacks

Output

JSON report with suspected relay events, IP-hostname correlation anomalies, SMB signing audit results, and MITRE ATT&CK mapping to T1557.001.