Detect LLMNR/NBT-NS Poisoning and SMB Relay in Elastic Security
Adversaries may spoof an authoritative source for name resolution to force communication with an adversary-controlled system, collecting or relaying authentication materials. By responding to LLMNR (UDP 5355) and NBT-NS (UDP 137) queries, attackers poison name resolution so that victims authenticate to the adversary system, capturing NTLMv1/v2 hashes for offline cracking or relay attacks. Captured hashes may be relayed directly to SMB, LDAP, MSSQL, or HTTP services to authenticate as the victim without ever cracking the hash. Tools such as Responder, Inveigh, Impacket ntlmrelayx, and NBNSpoof are commonly used. Threat actors including Lazarus Group and Wizard Spider have used this technique for credential collection and lateral movement.
MITRE ATT&CK
- Tactic
- Credential Access Collection
- Technique
- T1557 Adversary-in-the-Middle
- Sub-technique
- T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay
- Canonical reference
- https://attack.mitre.org/techniques/T1557/001/
Elastic Detection Query
any where
(
event.category == "process" and
event.type == "start" and
(
process.name : ("responder.exe", "inveigh.exe", "ntlmrelayx.exe", "smbrelayx.exe", "multirelay.exe", "nbnspoof.exe", "conveigh.exe")
or process.command_line : ("*Responder*", "*Inveigh*", "*Invoke-Inveigh*", "*ntlmrelayx*", "*smbrelayx*", "*MultiRelay*", "*NBNSpoof*", "*llmnr_response*", "*-rPv*", "*Inveigh-Unprivileged*")
or (
process.name : ("python.exe", "python3.exe", "python3") and
process.command_line : ("*responder*", "*inveigh*", "*ntlmrelayx*", "*smbrelayx*", "*multirelay*", "*nbnspoof*", "*llmnr_response*")
)
)
) or (
event.category == "network" and
event.type in ("connection", "start") and
destination.port in (5355, 137) and
not process.name : ("svchost.exe", "lsass.exe", "dns.exe", "System", "mDNSResponder.exe")
)Detects LLMNR/NBT-NS poisoning and SMB relay attacks using Elastic EQL. Branch 1 matches known poisoning tool binary names and suspicious command-line keywords across all process start events, including Python-based Impacket variants. Branch 2 flags unexpected processes connecting on LLMNR (UDP 5355) or NBT-NS (UDP 137) ports, excluding known-legitimate system processes.
Data Sources
Required Tables
False Positives & Tuning
- Network administrators using Wireshark or tcpdump capturing on LLMNR/NBT-NS ports for legitimate troubleshooting will trigger the network branch on port 5355 or 137.
- Authorized red team or penetration testing engagements executing Responder, Inveigh, or ntlmrelayx are indistinguishable from malicious use by process name alone — cross-reference with engagement windows or asset exclusion lists.
- Python scripts used in web development or IT automation whose argument strings partially overlap with poisoning tool keyword patterns (e.g., Flask responder callbacks, relay proxy scripts).
Other platforms for T1557.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Invoke-Inveigh LLMNR and NBT-NS Poisoning via PowerShell
Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'Invoke-Inveigh', 'Net.WebClient', and 'DownloadString'. Sysmon Event ID 3: PowerShell process binding/connecting on UDP 5355 and UDP 137. PowerShell ScriptBlock Log Event ID 4104 capturing the full Inveigh module code and runtime output. Sysmon Event ID 22 (DNS Query) for the GitHub download request.
- Test 2Responder Python Execution in Analyze Mode
Expected signal: Sysmon Event ID 1: python3.exe with CommandLine containing 'Responder.py' and '-I'. Sysmon Event ID 3: python3.exe binding on UDP 5355 (LLMNR) and UDP 137 (NBT-NS). DeviceNetworkEvents: InitiatingProcessFileName=python3.exe with LocalPort=5355 or 137. DeviceProcessEvents: FileName=python3.exe, ProcessCommandLine contains 'Responder'.
- Test 3Impacket ntlmrelayx Relay Tool Execution Against Loopback Target
Expected signal: Sysmon Event ID 1: python3.exe with CommandLine containing 'ntlmrelayx.py', '-t', and 'smb://'. Sysmon Event ID 3: python3.exe attempting TCP connection to 127.0.0.1:445. DeviceProcessEvents: FileName=python3.exe, ProcessCommandLine contains 'ntlmrelayx'. Connection will fail (no SMB listener on loopback) but all process creation telemetry fires.
- Test 4Disable LLMNR and NBT-NS via Registry — Defensive Control Validation
Expected signal: Sysmon Event ID 13 (Registry Value Set): HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\EnableMulticast set to DWORD 0. Sysmon Event ID 1: powershell.exe with CommandLine containing 'Win32_NetworkAdapterConfiguration' and 'SetTcpipNetbios'. Security Event ID 4657 (if Object Access auditing enabled): registry key modification logged.
References (12)
- https://attack.mitre.org/techniques/T1557/001/
- https://github.com/SpiderLabs/Responder
- https://github.com/Kevin-Robertson/Inveigh
- https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html
- https://blog.secureideas.com/2018/04/ever-run-a-relay-why-smb-relays-should-be-on-your-mind.html
- https://github.com/SecureAuthCorp/impacket
- https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning
- https://github.com/nomex/nbnspoof
- https://www.rapid7.com/db/modules/auxiliary/spoof/llmnr/llmnr_response
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://learn.microsoft.com/en-us/windows-server/networking/technologies/netbios/netbios
Unlock Pro Content
Get the full detection package for T1557.001 including response playbook, investigation guide, and atomic red team tests.