Because attackers can coerce a controller into authenticating outward, then relay that weaker authentication into directory actions such as shadow credentials or RBCD. The danger is not only cracking a response, but converting a trusted machine identity into administrative control.
Why This Matters for Security Teams
NTLMv1 is dangerous on domain controllers because it preserves an older trust path that can be abused as an identity bridge, not just a password-cracking target. Once a controller can be induced to authenticate outward, the resulting machine authentication can be relayed into directory changes that outlive the session. That turns one weak protocol choice into durable privilege escalation, especially where service accounts, delegated admin paths, or legacy management tooling remain in place.
This is why directory compromise is often a governance problem as much as a protocol problem. The same pattern appears across NHI incidents: one weak credential pathway becomes a control-plane issue, and attackers move from authentication to authorization before defenders notice. NHIMG’s The 52 NHI breaches Report shows how identity failures repeatedly become breach multipliers, while Cisco Active Directory credentials breach illustrates how directory credentials can turn into broad operational exposure. In practice, many security teams encounter NTLMv1 abuse only after directory modifications have already been made, rather than through intentional testing.
How It Works in Practice
With NTLMv1 enabled, a domain controller may still negotiate a legacy response format that is easier to abuse in relay scenarios. The attacker’s goal is usually not to “break” the controller directly, but to coerce it into authenticating to a controlled endpoint, then forward that authentication into LDAP or related directory services. If signing, channel binding, and relay-resistant hardening are incomplete, the attacker can use the controller’s own machine identity to write attributes, add delegation, or create persistence mechanisms such as shadow credentials or RBCD.
Operationally, that means defenders must think in layers:
- Remove NTLMv1 wherever possible and treat remaining NTLM as an exception, not a default.
- Require LDAP signing and, where supported, channel binding to reduce relay viability.
- Restrict outbound authentication from controllers so coercion does not become a privilege bridge.
- Monitor for machine-account writes, unusual SPNs, and delegated rights changes on high-value directory objects.
The broader governance lesson aligns with NIST Cybersecurity Framework 2.0: identity services need explicit protect and detect controls, not assumptions that “internal” traffic is trustworthy. Current guidance also maps to Ultimate Guide to NHIs — Key Challenges and Risks because controllers are high-value machine identities with broad authority. These controls tend to break down in mixed estates where legacy NTLM clients, permissive LDAP settings, and administrative exceptions are still required for business continuity.
Common Variations and Edge Cases
Tighter directory hardening often increases operational overhead, so organisations must balance compatibility against attack surface. That tradeoff is especially visible in older Windows estates, third-party appliances, and applications that still depend on NTLM for service authentication or fallback paths.
One edge case is that NTLMv1 may not be the only issue. If NTLMv2 remains enabled but signing is absent, or if controllers can still be coerced into authenticating to attacker-controlled hosts, the relay problem can persist in a different form. Another is that some environments use “temporary” exceptions for printers, scanners, or packaged software, and those exceptions quietly become permanent. Best practice is evolving, but there is no universal standard for this yet: some organisations can fully disable NTLM on controllers, while others must stage the change with exception logging, service mapping, and compensation controls.
For teams working to a formal governance model, Anthropic — first AI-orchestrated cyber espionage campaign report is a useful reminder that adversaries increasingly chain identities, tools, and privileges rather than relying on one exploit. That is also why Top 10 NHI Issues matters here: machine identities with broad standing rights are still a common path to domain impact. Ultimate Guide to NHIs — Standards is the better reference point when deciding which identity controls to phase in first, especially where legacy protocols cannot be removed immediately.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Legacy authentication on controllers increases NHI abuse and relay risk. |
| NIST CSF 2.0 | PR.AC-4 | Identity and access hardening limits abuse of controller machine accounts. |
| NIST AI RMF | Risk governance should cover identity-dependent attack paths and legacy trust. |
Document legacy auth risk, assign owners, and monitor for control-plane abuse patterns.
