T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let PoisoningTools = dynamic(["responder.exe", "inveigh.exe", "ntlmrelayx.exe", "smbrelayx.exe", "multirelay.exe", "nbnspoof.exe", "conveigh.exe"]);
let PoisoningKeywords = dynamic(["Responder", "Inveigh", "Invoke-Inveigh", "ntlmrelayx", "smbrelayx", "MultiRelay", "NBNSpoof", "llmnr_response", "-rPv", "Inveigh-Unprivileged"]);
let PythonInterpreters = dynamic(["python.exe", "python3.exe", "python3"]);
// Branch 1: Process-based detection — known poisoning tool names or command line keywords
let ProcessAlerts = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (PoisoningTools)
    or ProcessCommandLine has_any (PoisoningKeywords)
    or (FileName in~ (PythonInterpreters) and ProcessCommandLine has_any (PoisoningKeywords))
| extend HasResponder = (FileName =~ "responder.exe" or ProcessCommandLine has "Responder")
| extend HasInveigh = ProcessCommandLine has_any ("Inveigh", "Invoke-Inveigh", "Inveigh-Unprivileged")
| extend HasRelay = ProcessCommandLine has_any ("ntlmrelayx", "smbrelayx", "MultiRelay")
| extend IsPythonBased = FileName in~ (PythonInterpreters)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath,
         HasResponder, HasInveigh, HasRelay, IsPythonBased;
// Branch 2: Network-based detection — unexpected processes communicating on LLMNR/NBT-NS ports
let NetworkAlerts = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort in (5355, 137) or LocalPort in (5355, 137)
| where not (InitiatingProcessFileName in~ ("svchost.exe", "lsass.exe", "dns.exe", "mDNSResponder.exe", "System"))
| project Timestamp, DeviceName,
         AccountName = InitiatingProcessAccountName,
         FileName = InitiatingProcessFileName,
         ProcessCommandLine = InitiatingProcessCommandLine,
         InitiatingProcessFileName = "",
         InitiatingProcessCommandLine = "",
         FolderPath = InitiatingProcessFolderPath,
         HasResponder = false, HasInveigh = false, HasRelay = false, IsPythonBased = false;
ProcessAlerts
| union NetworkAlerts
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation Network Traffic: Network Traffic Flow Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceNetworkEvents

False Positives

Authorized penetration testing or red team exercises where Responder or Inveigh is explicitly sanctioned via change ticket
Network diagnostic tools or Wireshark-based capture scripts that bind to UDP 5355/137 during authorized network analysis
Internal network assessment platforms that bundle Inveigh for authorized discovery scans
Python development or training environments running LLMNR/NBT-NS scripts in isolated lab networks
Security awareness training platforms that simulate poisoning attacks in controlled lab environments

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval LowerImage=lower(Image), LowerCmdLine=lower(CommandLine)
| eval IsKnownTool=if(
    match(LowerImage, "(responder\.exe|inveigh\.exe|ntlmrelayx\.exe|smbrelayx\.exe|multirelay\.exe|nbnspoof\.exe|conveigh\.exe)"),
    1, 0)
| eval IsPythonPoisoner=if(
    match(LowerImage, "python[23]?\.exe") AND
    match(LowerCmdLine, "(responder|inveigh|ntlmrelayx|smbrelayx|multirelay|nbnspoof|llmnr_response)"),
    1, 0)
| eval HasInveighKeyword=if(
    match(LowerCmdLine, "(invoke-inveigh|inveigh-unprivileged|\\binveigh\\b)"),
    1, 0)
| eval HasRelayKeyword=if(
    match(LowerCmdLine, "(ntlmrelayx|smbrelayx|multirelay|-rpv)"),
    1, 0)
| eval HasLLMNRKeyword=if(
    match(LowerCmdLine, "(llmnr|nbt-ns|nbns|llmnrspoof|nbrespond)"),
    1, 0)
| eval SuspicionScore=IsKnownTool + IsPythonPoisoner + HasInveighKeyword + HasRelayKeyword + HasLLMNRKeyword
| where SuspicionScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        IsKnownTool, IsPythonPoisoner, HasInveighKeyword, HasRelayKeyword, HasLLMNRKeyword, SuspicionScore
| sort - SuspicionScore - _time

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Authorized penetration testing activities on the same network segment where these tools are explicitly sanctioned
Security research or training environments running Responder or Inveigh in isolated lab infrastructure
Network debugging Python scripts that reference LLMNR or NBT-NS in legitimate diagnostic contexts
Purple team exercises where Responder execution is pre-approved and documented in change management
Security assessment platforms bundling Inveigh for authorized internal network assessments

Elastic Security (EQL)

eql

any where
  (
    event.category == "process" and
    event.type == "start" and
    (
      process.name : ("responder.exe", "inveigh.exe", "ntlmrelayx.exe", "smbrelayx.exe", "multirelay.exe", "nbnspoof.exe", "conveigh.exe")
      or process.command_line : ("*Responder*", "*Inveigh*", "*Invoke-Inveigh*", "*ntlmrelayx*", "*smbrelayx*", "*MultiRelay*", "*NBNSpoof*", "*llmnr_response*", "*-rPv*", "*Inveigh-Unprivileged*")
      or (
        process.name : ("python.exe", "python3.exe", "python3") and
        process.command_line : ("*responder*", "*inveigh*", "*ntlmrelayx*", "*smbrelayx*", "*multirelay*", "*nbnspoof*", "*llmnr_response*")
      )
    )
  ) or (
    event.category == "network" and
    event.type in ("connection", "start") and
    destination.port in (5355, 137) and
    not process.name : ("svchost.exe", "lsass.exe", "dns.exe", "System", "mDNSResponder.exe")
  )

high severity high confidence

Data Sources

Elastic Endpoint Security agent (endpoint.events.process, endpoint.events.network) Winlogbeat with Sysmon module Packetbeat

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.network-* winlogbeat-*

False Positives

Network administrators using Wireshark or tcpdump capturing on LLMNR/NBT-NS ports for legitimate troubleshooting will trigger the network branch on port 5355 or 137.
Authorized red team or penetration testing engagements executing Responder, Inveigh, or ntlmrelayx are indistinguishable from malicious use by process name alone — cross-reference with engagement windows or asset exclusion lists.
Python scripts used in web development or IT automation whose argument strings partially overlap with poisoning tool keyword patterns (e.g., Flask responder callbacks, relay proxy scripts).

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(deviceTime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  devicehostname AS host,
  username,
  sourceip,
  "Process Image" AS process_image,
  "Process CommandLine" AS command_line,
  "Parent Process Image" AS parent_image,
  QIDNAME(qid) AS event_name,
  CATEGORYNAME(category) AS category_name
FROM events
WHERE
  (
    LOWER("Process Image") MATCHES '(?i)(responder\.exe|inveigh\.exe|ntlmrelayx\.exe|smbrelayx\.exe|multirelay\.exe|nbnspoof\.exe|conveigh\.exe)'
    OR LOWER("Process CommandLine") MATCHES '(?i)(responder|inveigh|invoke-inveigh|ntlmrelayx|smbrelayx|multirelay|nbnspoof|llmnr_response|-rpv|inveigh-unprivileged)'
    OR (
      LOWER("Process Image") MATCHES '(?i)python[23]?\.exe'
      AND LOWER("Process CommandLine") MATCHES '(?i)(responder|inveigh|ntlmrelayx|smbrelayx|multirelay|nbnspoof|llmnr_response)'
    )
  )
LAST 24 HOURS
ORDER BY deviceTime DESC

high severity high confidence

Data Sources

IBM QRadar with Microsoft Windows Sysmon DSM (LOGSOURCETYPEID 141) Windows Security Event Log DSM (LOGSOURCETYPEID 12)

Required Tables

events (QRadar normalized event store with custom properties 'Process Image', 'Process CommandLine', and 'Parent Process Image' populated by Sysmon DSM)

False Positives

Authorized penetration testers running Responder or ntlmrelayx from whitelisted source IPs or known service accounts during documented assessment windows — add sourceip or username exclusions to the WHERE clause.
Python-based internal automation or scripting tools whose argument strings contain overlapping terms such as 'responder' (HTTP response callback classes), 'relay' (event relay services), or 'inveigh' for unrelated logic.
Security awareness simulation platforms that spawn poisoning tool processes in controlled lab environments forwarding logs to the production QRadar instance.

Sumo Logic CSE

sql

(_sourceCategory=*windows* OR _sourceCategory=*sysmon*)
| where EventCode = "1" OR EventID = "1"
| toLowerCase(Image) as lower_image
| toLowerCase(CommandLine) as lower_cmdline
| if(lower_image matches /responder\.exe|inveigh\.exe|ntlmrelayx\.exe|smbrelayx\.exe|multirelay\.exe|nbnspoof\.exe|conveigh\.exe/, 1, 0) as is_known_tool
| if(lower_image matches /python[23]?\.exe/ and lower_cmdline matches /responder|inveigh|ntlmrelayx|smbrelayx|multirelay|nbnspoof|llmnr_response/, 1, 0) as is_python_poisoner
| if(lower_cmdline matches /invoke-inveigh|inveigh-unprivileged|inveigh/, 1, 0) as has_inveigh
| if(lower_cmdline matches /ntlmrelayx|smbrelayx|multirelay|-rpv/, 1, 0) as has_relay
| if(lower_cmdline matches /llmnr|nbt-ns|nbns|llmnrspoof|nbrespond/, 1, 0) as has_llmnr
| (is_known_tool + is_python_poisoner + has_inveigh + has_relay + has_llmnr) as suspicion_score
| where suspicion_score > 0
| fields _messageTime, _sourceHost, User, Image, CommandLine, ParentImage, ParentCommandLine, is_known_tool, is_python_poisoner, has_inveigh, has_relay, has_llmnr, suspicion_score
| sort by suspicion_score desc, _messageTime desc

high severity high confidence

Data Sources

Sumo Logic Windows Event Log collector with Sysmon Operational channel Sumo Logic Installed Collector with Windows Sysmon source (Event ID 1, Image, CommandLine, ParentImage, User fields required)

Required Tables

Sumo Logic partitions indexed with _sourceCategory matching *windows* or *sysmon*, containing Sysmon Event ID 1 data with Image, CommandLine, ParentImage, and User fields parsed

False Positives

Authorized red team operators executing Responder or Inveigh during a documented engagement — tool names are identical to malicious use and cannot be distinguished without out-of-band engagement records or asset exclusions.
Python-based REST API automation or internal tooling whose invocation arguments include 'flask responder', 'relay handler', or 'invoke-' prefixes for unrelated HTTP or messaging workflows.
Security simulation platforms (e.g., AttackIQ, SafeBreach) replaying T1557.001 in connected lab environments with log forwarding enabled to production Sumo Logic instances.

Google Chronicle / SecOps

yaral

rule t1557_001_llmnr_nbtns_poisoning_smb_relay {
  meta:
    author = "Detection Engineering"
    description = "Detects LLMNR/NBT-NS poisoning and SMB relay attacks via known tool binary names and command-line indicators. Covers Responder, Inveigh, ntlmrelayx, smbrelayx, MultiRelay, NBNSpoof, conveigh, and Python-based Impacket variants."
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1557.001"
    severity = "HIGH"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1557/001/"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.file.full_path, `(?i)(responder\.exe|inveigh\.exe|ntlmrelayx\.exe|smbrelayx\.exe|multirelay\.exe|nbnspoof\.exe|conveigh\.exe)`)
      or re.regex($e.target.process.command_line, `(?i)(Responder|Inveigh|Invoke-Inveigh|ntlmrelayx|smbrelayx|MultiRelay|NBNSpoof|llmnr_response|-rPv|Inveigh-Unprivileged)`)
      or (
        re.regex($e.target.process.file.full_path, `(?i)python[23]?\.exe`)
        and re.regex($e.target.process.command_line, `(?i)(responder|inveigh|ntlmrelayx|smbrelayx|multirelay|nbnspoof|llmnr_response)`)
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM (PROCESS_LAUNCH events ingested from CrowdStrike Falcon, Carbon Black, Sysmon via BindPlane, or Windows Security log via Chronicle forwarder)

Required Tables

Chronicle UDM event store (PROCESS_LAUNCH event type with target.process.file.full_path and target.process.command_line fields populated)

False Positives

Authorized red team or penetration testing activities using Responder or ntlmrelayx from documented source hostnames — add principal.hostname exclusion conditions for known assessment endpoints.
Security researchers executing tool binaries in isolated sandbox or VM environments whose Sysmon logs are inadvertently forwarded to production Chronicle ingestion pipelines.
Python scripts in developer or CI/CD environments whose invocation arguments include 'responder', 'relay', or 'inveigh' as module or function names for unrelated network or web framework code.

CrowdStrike LogScale (CQL)

cql

#event_simpleName = ProcessRollup2
| ImageFileName = /(?i)(responder\.exe|inveigh\.exe|ntlmrelayx\.exe|smbrelayx\.exe|multirelay\.exe|nbnspoof\.exe|conveigh\.exe)/
  OR CommandLine = /(?i)(Responder|Inveigh|Invoke-Inveigh|ntlmrelayx|smbrelayx|MultiRelay|NBNSpoof|llmnr_response|-rPv|Inveigh-Unprivileged)/
  OR (ImageFileName = /(?i)python[23]?\.exe/ AND CommandLine = /(?i)(responder|inveigh|ntlmrelayx|smbrelayx|multirelay|nbnspoof|llmnr_response)/)
| case {
    ImageFileName = /(?i)(responder\.exe|inveigh\.exe|ntlmrelayx\.exe|smbrelayx\.exe|multirelay\.exe|nbnspoof\.exe|conveigh\.exe)/ | IsKnownTool := "true";
    * | IsKnownTool := "false"
  }
| case {
    ImageFileName = /(?i)python[23]?\.exe/ AND CommandLine = /(?i)(responder|inveigh|ntlmrelayx|smbrelayx|multirelay|nbnspoof|llmnr_response)/ | IsPythonPoisoner := "true";
    * | IsPythonPoisoner := "false"
  }
| case {
    CommandLine = /(?i)(invoke-inveigh|inveigh-unprivileged|inveigh)/ | HasInveigh := "true";
    * | HasInveigh := "false"
  }
| case {
    CommandLine = /(?i)(ntlmrelayx|smbrelayx|multirelay|-rpv)/ | HasRelay := "true";
    * | HasRelay := "false"
  }
| table([ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, IsKnownTool, IsPythonPoisoner, HasInveigh, HasRelay])
| sort(@timestamp, order=desc, limit=200)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Activity Monitoring (ProcessRollup2 events via Falcon Data Replicator or Falcon Event Search / LogScale repository)

Required Tables

ProcessRollup2 events (requires Falcon Insight XDR or equivalent with process telemetry; fields: ImageFileName, CommandLine, ParentBaseFileName, ComputerName, UserName)

False Positives

Authorized red team operators using Responder or ntlmrelayx from pre-approved endpoints or under documented service accounts — add ComputerName or UserName exclusions for known red team assets.
Python-based DevOps tooling, REST API clients, or internal automation scripts whose command-line arguments include strings overlapping with poisoning tool names (e.g., 'auto-responder.py', 'relay-agent', 'invoke-workflow').
Security tooling vendors or SIEM management scripts that spawn Python subprocesses with script names containing 'inveigh', 'relay', or 'responder' as functional labels for unrelated network communication tasks.

LLMNR/NBT-NS Poisoning and SMB Relay

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Credential Access

Popular Detections