How We Bypassed All NTLM Relay Mitigations — And How to Ensure You’re Protected

Active Directory has always been a popular target for attackers — and one of the weakest spots in Active Directory environments lies in the design of one of the oldest authentication protocols, NTLM. From CVE-2015-0005 to the recent LDAPS Relay vulnerability, it is clear why this protocol is one of the attackers’ favorites. Although there are mitigations such as server signing, protecting the entire domain from NTLM relay is virtually impossible.

In an encore presentation of one of Black Hat 2019’s and DEFCON27’s most popular talks, members of our Zero Trust research team have:

  • Mentioned several new ways to abuse NTLM, including a critical zero-day vulnerability we have discovered which enables attackers to perform NTLM Relay and take over any machine in the domain, even with the strictest security configuration, while bypassing all of today’s offered mitigations.
  • Delineated the risks of this protocol which are not limited to the boundaries of the on-premises environment, showing another vulnerability which allows bypassing various AD-FS restrictions in order to take over cloud resources as well.

Watch the on-demand webinar today!


  • OS icon
  • deployment icon
  • installation icon

For technical information on installation, policy configuration and more, please visit the CrowdStrike Tech Center.

Visit the Tech Center