T1557.001 CrowdStrike LogScale · LogScale

Detect LLMNR/NBT-NS Poisoning and SMB Relay in CrowdStrike LogScale

Adversaries may spoof an authoritative source for name resolution to force communication with an adversary-controlled system, collecting or relaying authentication materials. By responding to LLMNR (UDP 5355) and NBT-NS (UDP 137) queries, attackers poison name resolution so that victims authenticate to the adversary system, capturing NTLMv1/v2 hashes for offline cracking or relay attacks. Captured hashes may be relayed directly to SMB, LDAP, MSSQL, or HTTP services to authenticate as the victim without ever cracking the hash. Tools such as Responder, Inveigh, Impacket ntlmrelayx, and NBNSpoof are commonly used. Threat actors including Lazarus Group and Wizard Spider have used this technique for credential collection and lateral movement.

MITRE ATT&CK

Tactic
Credential Access Collection
Technique
T1557 Adversary-in-the-Middle
Sub-technique
T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay
Canonical reference
https://attack.mitre.org/techniques/T1557/001/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName = ProcessRollup2
| ImageFileName = /(?i)(responder\.exe|inveigh\.exe|ntlmrelayx\.exe|smbrelayx\.exe|multirelay\.exe|nbnspoof\.exe|conveigh\.exe)/
  OR CommandLine = /(?i)(Responder|Inveigh|Invoke-Inveigh|ntlmrelayx|smbrelayx|MultiRelay|NBNSpoof|llmnr_response|-rPv|Inveigh-Unprivileged)/
  OR (ImageFileName = /(?i)python[23]?\.exe/ AND CommandLine = /(?i)(responder|inveigh|ntlmrelayx|smbrelayx|multirelay|nbnspoof|llmnr_response)/)
| case {
    ImageFileName = /(?i)(responder\.exe|inveigh\.exe|ntlmrelayx\.exe|smbrelayx\.exe|multirelay\.exe|nbnspoof\.exe|conveigh\.exe)/ | IsKnownTool := "true";
    * | IsKnownTool := "false"
  }
| case {
    ImageFileName = /(?i)python[23]?\.exe/ AND CommandLine = /(?i)(responder|inveigh|ntlmrelayx|smbrelayx|multirelay|nbnspoof|llmnr_response)/ | IsPythonPoisoner := "true";
    * | IsPythonPoisoner := "false"
  }
| case {
    CommandLine = /(?i)(invoke-inveigh|inveigh-unprivileged|inveigh)/ | HasInveigh := "true";
    * | HasInveigh := "false"
  }
| case {
    CommandLine = /(?i)(ntlmrelayx|smbrelayx|multirelay|-rpv)/ | HasRelay := "true";
    * | HasRelay := "false"
  }
| table([ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, IsKnownTool, IsPythonPoisoner, HasInveigh, HasRelay])
| sort(@timestamp, order=desc, limit=200)
high severity high confidence

Detects LLMNR/NBT-NS poisoning and SMB relay tool execution in CrowdStrike Falcon via LogScale CQL querying ProcessRollup2 events. Filters on known poisoning binary names via case-insensitive regex, Python interpreter instances with poisoning command-line arguments, and broad keyword patterns covering Responder, Inveigh, ntlmrelayx, and related tools. Per-event enrichment flags (IsKnownTool, IsPythonPoisoner, HasInveigh, HasRelay) enable analyst triage prioritization. Requires Falcon Insight XDR or equivalent process telemetry license.

Data Sources

CrowdStrike Falcon Endpoint Activity Monitoring (ProcessRollup2 events via Falcon Data Replicator or Falcon Event Search / LogScale repository)

Required Tables

ProcessRollup2 events (requires Falcon Insight XDR or equivalent with process telemetry; fields: ImageFileName, CommandLine, ParentBaseFileName, ComputerName, UserName)

False Positives & Tuning

  • Authorized red team operators using Responder or ntlmrelayx from pre-approved endpoints or under documented service accounts — add ComputerName or UserName exclusions for known red team assets.
  • Python-based DevOps tooling, REST API clients, or internal automation scripts whose command-line arguments include strings overlapping with poisoning tool names (e.g., 'auto-responder.py', 'relay-agent', 'invoke-workflow').
  • Security tooling vendors or SIEM management scripts that spawn Python subprocesses with script names containing 'inveigh', 'relay', or 'responder' as functional labels for unrelated network communication tasks.
Download portable Sigma rule (.yml)

Other platforms for T1557.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Invoke-Inveigh LLMNR and NBT-NS Poisoning via PowerShell

    Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'Invoke-Inveigh', 'Net.WebClient', and 'DownloadString'. Sysmon Event ID 3: PowerShell process binding/connecting on UDP 5355 and UDP 137. PowerShell ScriptBlock Log Event ID 4104 capturing the full Inveigh module code and runtime output. Sysmon Event ID 22 (DNS Query) for the GitHub download request.

  2. Test 2Responder Python Execution in Analyze Mode

    Expected signal: Sysmon Event ID 1: python3.exe with CommandLine containing 'Responder.py' and '-I'. Sysmon Event ID 3: python3.exe binding on UDP 5355 (LLMNR) and UDP 137 (NBT-NS). DeviceNetworkEvents: InitiatingProcessFileName=python3.exe with LocalPort=5355 or 137. DeviceProcessEvents: FileName=python3.exe, ProcessCommandLine contains 'Responder'.

  3. Test 3Impacket ntlmrelayx Relay Tool Execution Against Loopback Target

    Expected signal: Sysmon Event ID 1: python3.exe with CommandLine containing 'ntlmrelayx.py', '-t', and 'smb://'. Sysmon Event ID 3: python3.exe attempting TCP connection to 127.0.0.1:445. DeviceProcessEvents: FileName=python3.exe, ProcessCommandLine contains 'ntlmrelayx'. Connection will fail (no SMB listener on loopback) but all process creation telemetry fires.

  4. Test 4Disable LLMNR and NBT-NS via Registry — Defensive Control Validation

    Expected signal: Sysmon Event ID 13 (Registry Value Set): HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\EnableMulticast set to DWORD 0. Sysmon Event ID 1: powershell.exe with CommandLine containing 'Win32_NetworkAdapterConfiguration' and 'SetTcpipNetbios'. Security Event ID 4657 (if Object Access auditing enabled): registry key modification logged.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1557.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1557Adversary-in-the-Middle

Related Sub-techniques

T1557.002ARP Cache PoisoningT1557.003DHCP SpoofingT1557.004Evil Twin

Related Techniques

T1557Adversary-in-the-MiddleT1040Network SniffingT1110Brute ForceT1110.002Password CrackingT1550.002Pass the HashT1021.002SMB/Windows Admin SharesT1484.001Group Policy ModificationT1003.001LSASS MemoryT1078Valid Accounts

Same Tactic: Credential Access

Popular Detections