No creds → Domain Admin via LLMNR poisoning and NTLM relay
Unauthenticated attacker on the LAN poisons name resolution, relays the captured NetNTLMv2 to a host with SMB signing disabled, then escalates to Domain Admin.
§ Context
Assumed environment: attacker has a foothold on the internal LAN (e.g. a rogue device, VLAN hop, or compromised low-trust host) but no domain credentials. SMB signing is not enforced on at least one host, and LLMNR/NBT-NS broadcast resolution is enabled.
§ Steps
- 01Dump LSASSCredential AccessT1003.001— LSASS Memory
Recover cached domain creds / Kerberos tickets from the foothold.
- 02Network reconDiscoveryT1018— Remote System Discovery
Identify hosts, DCs, MS-SQL servers, file shares.
- 03Lateral movement to high-value hostLateral MovementT1550.002— Pass the Hash
- 04Code execution as relayed userLateral MovementT1021.002— SMB/Windows Admin Shares
If the coerced principal is a local admin on the target, get a SYSTEM shell via SMB exec.
- 05BloodHound enumerationDiscoveryAD-BLOODHOUND— BloodHound / SharpHound Enumeration
Find a path from the harvested principal to Domain Admin.
- 06
- 07NTLM relay to SMBCredential AccessT1557.001— LLMNR/NBT-NS Poisoning and SMB Relay
ntlmrelayx.py -tf targets.txt -smb2support — relay to any host without SMB signing.
- 08LLMNR/NBT-NS/mDNS poisoningCredential AccessT1557.001— LLMNR/NBT-NS Poisoning and SMB Relay
Responder -I eth0 — answer name-resolution broadcasts to receive NetNTLMv2 challenges.
§ References
- T1003.001LSASS Memory
- T1018Remote System Discovery
- T1550.002Pass the Hash
- T1021.002SMB/Windows Admin Shares
- T1003.006DCSync
- T1557.001LLMNR/NBT-NS Poisoning and SMB Relay
§ Frequently asked
- What is the "No creds → Domain Admin via LLMNR poisoning and NTLM relay" attack path?
- Unauthenticated attacker on the LAN poisons name resolution, relays the captured NetNTLMv2 to a host with SMB signing disabled, then escalates to Domain Admin. It chains 8 steps drawn from real-world offensive-security techniques.
- What starting position does this attack require?
- The first step is Dump LSASS (T1003.001) — a credential access primitive. Assumed environment: attacker has a foothold on the internal LAN (e.
- What is the final impact of this kill-chain?
- The final step lands on LLMNR/NBT-NS/mDNS poisoning (T1557.001), which falls under Credential Access. From here, an operator typically pivots into post-exploitation or maintains persistence.
- How can defenders detect or prevent this attack?
- Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.
§ Related dossiers
- Shared techniques2
mitm6 IPv6 SLAAC → NTLM relay → DA
Even when IPv4 is hardened, Windows clients prefer IPv6 with default DHCPv6. mitm6 makes the attacker the IPv6 DNS server, advertises wpad, and relays the captured NTLM to LDAPS for RBCD.
- Shared techniques2
PetitPotam + ADCS ESC8 → Domain Controller takeover
Coerce a DC's machine account to authenticate to the attacker, relay that NTLM to the ADCS HTTP web-enrollment endpoint, and obtain a DC certificate for full domain compromise.
- Shared techniques2
ZeroLogon (CVE-2020-1472) → Domain takeover
Unauthenticated attacker abuses the Netlogon AES-CFB8 flaw to reset a DC's machine account password to empty, dumps secrets, and restores the original password.
- Shared techniques2
Unconstrained delegation → Capture DC TGT → DCSync
Compromise a host with TRUSTED_FOR_DELEGATION, coerce a DC to authenticate to it, harvest the DC's TGT from its LSASS, then DCSync.
- Shared techniques2
LAPS read → local admin on every endpoint
A delegated 'helpdesk' group gains read access to ms-Mcs-AdmPwd. Compromising any member of that group cascades to local admin on every LAPS-managed machine.
- Shared techniques2
GenericWrite on Domain Admins → AddMember → DA
A misconfigured 'member' attribute write on a privileged group lets the attacker silently add themselves as a Domain Admin.