T1557.001 Google Chronicle · YARA-L

Detect LLMNR/NBT-NS Poisoning and SMB Relay in Google Chronicle

Adversaries may spoof an authoritative source for name resolution to force communication with an adversary-controlled system, collecting or relaying authentication materials. By responding to LLMNR (UDP 5355) and NBT-NS (UDP 137) queries, attackers poison name resolution so that victims authenticate to the adversary system, capturing NTLMv1/v2 hashes for offline cracking or relay attacks. Captured hashes may be relayed directly to SMB, LDAP, MSSQL, or HTTP services to authenticate as the victim without ever cracking the hash. Tools such as Responder, Inveigh, Impacket ntlmrelayx, and NBNSpoof are commonly used. Threat actors including Lazarus Group and Wizard Spider have used this technique for credential collection and lateral movement.

MITRE ATT&CK

Tactic
Credential Access Collection
Technique
T1557 Adversary-in-the-Middle
Sub-technique
T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay
Canonical reference
https://attack.mitre.org/techniques/T1557/001/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1557_001_llmnr_nbtns_poisoning_smb_relay {
  meta:
    author = "Detection Engineering"
    description = "Detects LLMNR/NBT-NS poisoning and SMB relay attacks via known tool binary names and command-line indicators. Covers Responder, Inveigh, ntlmrelayx, smbrelayx, MultiRelay, NBNSpoof, conveigh, and Python-based Impacket variants."
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1557.001"
    severity = "HIGH"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1557/001/"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.file.full_path, `(?i)(responder\.exe|inveigh\.exe|ntlmrelayx\.exe|smbrelayx\.exe|multirelay\.exe|nbnspoof\.exe|conveigh\.exe)`)
      or re.regex($e.target.process.command_line, `(?i)(Responder|Inveigh|Invoke-Inveigh|ntlmrelayx|smbrelayx|MultiRelay|NBNSpoof|llmnr_response|-rPv|Inveigh-Unprivileged)`)
      or (
        re.regex($e.target.process.file.full_path, `(?i)python[23]?\.exe`)
        and re.regex($e.target.process.command_line, `(?i)(responder|inveigh|ntlmrelayx|smbrelayx|multirelay|nbnspoof|llmnr_response)`)
      )
    )

  condition:
    $e
}
high severity high confidence

Chronicle YARA-L 2.0 rule detecting LLMNR/NBT-NS poisoning and SMB relay tool execution using UDM PROCESS_LAUNCH events. Matches on known poisoning tool binary names in the full process path (target.process.file.full_path), suspicious command-line arguments (target.process.command_line), and Python interpreter instances combined with poisoning-related arguments. Uses Chronicle UDM target.process fields which represent the newly launched process in PROCESS_LAUNCH events. Backtick-delimited regex strings are raw literals passed directly to the RE2 engine.

Data Sources

Google Chronicle UDM (PROCESS_LAUNCH events ingested from CrowdStrike Falcon, Carbon Black, Sysmon via BindPlane, or Windows Security log via Chronicle forwarder)

Required Tables

Chronicle UDM event store (PROCESS_LAUNCH event type with target.process.file.full_path and target.process.command_line fields populated)

False Positives & Tuning

  • Authorized red team or penetration testing activities using Responder or ntlmrelayx from documented source hostnames — add principal.hostname exclusion conditions for known assessment endpoints.
  • Security researchers executing tool binaries in isolated sandbox or VM environments whose Sysmon logs are inadvertently forwarded to production Chronicle ingestion pipelines.
  • Python scripts in developer or CI/CD environments whose invocation arguments include 'responder', 'relay', or 'inveigh' as module or function names for unrelated network or web framework code.
Download portable Sigma rule (.yml)

Other platforms for T1557.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Invoke-Inveigh LLMNR and NBT-NS Poisoning via PowerShell

    Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'Invoke-Inveigh', 'Net.WebClient', and 'DownloadString'. Sysmon Event ID 3: PowerShell process binding/connecting on UDP 5355 and UDP 137. PowerShell ScriptBlock Log Event ID 4104 capturing the full Inveigh module code and runtime output. Sysmon Event ID 22 (DNS Query) for the GitHub download request.

  2. Test 2Responder Python Execution in Analyze Mode

    Expected signal: Sysmon Event ID 1: python3.exe with CommandLine containing 'Responder.py' and '-I'. Sysmon Event ID 3: python3.exe binding on UDP 5355 (LLMNR) and UDP 137 (NBT-NS). DeviceNetworkEvents: InitiatingProcessFileName=python3.exe with LocalPort=5355 or 137. DeviceProcessEvents: FileName=python3.exe, ProcessCommandLine contains 'Responder'.

  3. Test 3Impacket ntlmrelayx Relay Tool Execution Against Loopback Target

    Expected signal: Sysmon Event ID 1: python3.exe with CommandLine containing 'ntlmrelayx.py', '-t', and 'smb://'. Sysmon Event ID 3: python3.exe attempting TCP connection to 127.0.0.1:445. DeviceProcessEvents: FileName=python3.exe, ProcessCommandLine contains 'ntlmrelayx'. Connection will fail (no SMB listener on loopback) but all process creation telemetry fires.

  4. Test 4Disable LLMNR and NBT-NS via Registry — Defensive Control Validation

    Expected signal: Sysmon Event ID 13 (Registry Value Set): HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\EnableMulticast set to DWORD 0. Sysmon Event ID 1: powershell.exe with CommandLine containing 'Win32_NetworkAdapterConfiguration' and 'SetTcpipNetbios'. Security Event ID 4657 (if Object Access auditing enabled): registry key modification logged.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1557.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1557Adversary-in-the-Middle

Related Sub-techniques

T1557.002ARP Cache PoisoningT1557.003DHCP SpoofingT1557.004Evil Twin

Related Techniques

T1557Adversary-in-the-MiddleT1040Network SniffingT1110Brute ForceT1110.002Password CrackingT1550.002Pass the HashT1021.002SMB/Windows Admin SharesT1484.001Group Policy ModificationT1003.001LSASS MemoryT1078Valid Accounts

Same Tactic: Credential Access

Popular Detections