CVE-2019-1040, known as Drop the MIC, describes a vulnerability in how Windows validates the NTLM Message Integrity Code (MIC). The MIC is a field in the NTLM AUTHENTICATE message that binds the entire authentication exchange to a specific session — its purpose is to prevent cross-protocol relay by tying the credentials to the originating connection.
On unpatched hosts, the MIC field can be stripped from the NTLM message before forwarding. The target server accepts the modified message, allowing the attacker to relay SMB authentication to LDAP or LDAPS, even when those services would normally reject cross-protocol relay.
RelayKing detects this automatically using the UBR already queried from the remote registry. No extra network requests are made.
How the attack works
- An attacker captures an NTLM
AUTHENTICATE message from a host (e.g., via coercion or a man-in-the-middle position).
- The MIC field is stripped from the captured message using
ntlmrelayx.py --remove-mic.
- The modified message is forwarded to an LDAP or LDAPS server on a different host.
- The LDAP server accepts the authentication because without MIC, it cannot detect the protocol mismatch.
- The attacker acts as the relayed identity — typically a machine account — with full write access to LDAP.
Detection logic
RelayKing maintains a patch reference table for CVE-2019-1040 keyed by (major, minor, build):
| Windows version | Build | Minimum patched UBR |
|---|
| Windows 10 1507 | 10.0.10240 | 18244 |
| Windows Server 2016 / Win10 1607 | 10.0.14393 | 3025 |
| Windows 10 1703 | 10.0.15063 | 1868 |
| Windows 10 1709 | 10.0.16299 | 1217 |
| Windows 10 1803 | 10.0.17134 | 829 |
| Windows Server 2019 / Win10 1809 | 10.0.17763 | 557 |
| Windows 10 1903 | 10.0.18362 | 175 |
10.0.18363 (Windows 10 1909 and later) shipped after the June 2019 patch and are not in the affected range.
For each scanned host, if ubr < min_patched_ubr for the detected build, the host is flagged as vulnerable to CVE-2019-1040.
Severity
HIGH — cross-protocol relay from SMB to LDAP/LDAPS with --remove-mic enables AD attribute writes (RBCD, shadow credentials, group membership changes) from any coerced authentication.
Relay path produced
Source protocol: smb
Destination protocol: ldap
Impact: HIGH
Description: CVE-2019-1040 (Drop the MIC): <host> running Windows <build> is unpatched —
MIC can be stripped from NTLM messages enabling cross-protocol relay
(SMB -> LDAP/LDAPS). Use ntlmrelayx with --remove-mic.
How to exploit
Once RelayKing identifies an unpatched host, use ntlmrelayx.py with the --remove-mic flag to perform the cross-protocol relay:
# Relay SMB authentication to LDAP with MIC stripped
ntlmrelayx.py -t ldap://<DC_IP> --remove-mic -smb2support
# Relay to LDAPS
ntlmrelayx.py -t ldaps://<DC_IP> --remove-mic -smb2support
# Relay and delegate (RBCD) in one step
ntlmrelayx.py -t ldap://<DC_IP> --remove-mic --delegate-access -smb2support
The --remove-mic flag in ntlmrelayx strips the MIC field before forwarding. The relay only succeeds against hosts that are missing the June 2019 patch. RelayKing’s finding confirms the target is unpatched before you attempt this.
No additional network requests
This check reuses the UBR value read from the remote registry during the NTLM reflection detection pass. No additional connections are made to determine CVE-2019-1040 status.
Apply the June 2019 Patch Tuesday cumulative updates (KB4503291, KB4503267, KB4503279, KB4503284, KB4503286, KB4503327, KB4503293 depending on build). After patching, the host will validate the MIC field and reject modified NTLM messages.
# Verify patch level on a Windows host (run locally)
(Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion').UBR
Flags
This check runs automatically during every scan. No flag is required.
| Behavior | Details |
|---|
| Runs automatically | Yes |
| Auth required | Low-privilege credentials (for RemoteRegistry access) |
| Additional network requests | No — reuses UBR from the reflection registry read |
