DeepSec 2025 Talk: Man-In-The-Service: Truly OpSec Safe Relay Techniques – Tobia Righi
Recently, due to EDRs, it has become harder and harder to abuse credential access by dumping LSASS after compromising a Windows server and gaining local administrator on it. So, many red-teamers, pentesters and APTs have moved towards a stealthier way of abusing credentials access by relaying such credentials in real-time to other mis-configured servers in the network. Gaining administrative access to a server can be quite helpful in this; however, all current techniques are not very effective and/or require complete or partial disruption of existing Windows services, making them not very opsec safe. Introducing RelayBox, a new technique to perform a Man-In-The-Service attack. Using RelayBox, an attacker is able to place themselves in between a legitimate Windows service, relay valid authentication attempts, without any disruption to the service’s usability. This creates a transparent proxy for SMB and other Windows services. I will present such a technique, the tool used, and showcase new relaying techniques that can be chained with this novel approach to obtain world domination. I will show and then release the tools after the talk.
We asked Tobia a few more questions about his talk.
Please tell us the Top 5 facts about your talk
- I will showcase how to abuse a local administrator on one Windows server, to turn it into a relay point for attackers to perform relay attacks.
- The focus will be on a technique that I call Man-In-The-Service which allows an attacker to place himself between a legitimate Windows service to be able to relay credentials without disrupting the availability of the original service.
- Multiple services will be covered, including SMB, HTTP and MSSQL. Showcasing a technique that can be applied to almost any service, in order to silently harvest and relay credentials.
- A tool/framework will be presented and released that can be used to carry out these attacks as well as easily develop new modules to implement custom protocols.
- All of this will be paired up with modern relaying techniques to showcase how to take over an entire domain from one single server compromise.
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
The idea for this technique and tool all sparked from the frustration of not being able to use NTLM and Kerberos relaying attacks during assignments. This was because oftentimes it wasn’t possible to
– get a machine with the necessary tooling in the internal network
– mess with host/name resolution protocols without severely degrading the customer’s environment and thus getting caught
– wait for users/machines to magically reach out to the malicious box setup in the internal network
That’s when I stumbled upon SpecterOps’ research that showcased how to stop the built-in SMB service and port-forward it to a box with relaying tools. This was quite good, especially if the targeted server was used by a lot of accounts. However, the obvious problem and what made this not available to me as a technique was that often the best target for doing this is also a widely used machine in the domain, meaning that shutting down SMB was not really an option as it would cause major disruptions.
That is when I went on the quest for carrying out relay attacks without relying on coercion, host resolution spoofing, social engineering and that would not degrade the environment. That is what I will present in my talk.
Why do you think this is an important topic?
Attackers need new tools and techniques that can both be quite transparent to EDRs, and non-disruptive to the environment. Additionally, showcasing these techniques and how simple they are will hopefully give more of a push to the blue team to hurry and patch vectors for relay attacks.
Is there something you want everybody to know – some good advice for our readers maybe?
Have fun and check out the tool that will be released shortly before the talk on my GitHub: https://github.com/Splinter0
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
I think we will see more and more threat actors using “quieter” techniques and not only focus on EDR bypasses; thus, it’s important we realize that slapping an EDR into the environment is not enough to stop a motivated attacker. We must understand the techniques and move towards fixing these types of attacks at the core.
Self-taught hacker doing as much security research as I can, I like deep diving into technologies, especially authentication mechanisms. Originally mostly a web hacker but I get into many stuff now. Sci-fi geek, come talk to me about Asimov and Gibson please.